This also impacts os-brick that has recently copied the encryptor
codebase with change :

Copy encryptors from Nova to os-brick

We should really try to remove the Nova encryptors this cycle I

** Also affects: os-brick
   Importance: Undecided
       Status: New

You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).

  The passphrase used to encrypt or decrypt volumes was mangled prior to

Status in OpenStack Compute (nova):
  In Progress
Status in os-brick:

Bug description:

  tl;dr hex(x) previously stripped leading 0's from individual hex
  numbers while encoding the passphrase back to a hex string before use
  to encrypt/decrypt a luks volume.

  Prior to Newton the following method was used to encode passphrases
  when attempting to use or create a luks volume :

      def _get_passphrase(self, key):
          """Convert raw key to string."""
          return ''.join(hex(x).replace('0x', '') for x in key)

  This was replaced in Newton with the move to Castellan in the
  following change that altered both the decoding and encoding steps :

  Replace key manager with Castellan

  The original method used the built-in hex() call to convert individual
  unsigned ints back to hex. This would strip the leading 0 from each
  hex digit pair, altering the eventual passphrase used to encrypt or
  decrypt the volume.

  For example, the following one liner represents both the initial
  decode step preformed by ConfKeyManager and the step above to encode
  the passphrase in the LuksEncryptor class :

  >>> ''.join(hex(x).replace('0x', '') for x in array.array('B', 

  Original string: 752523eb50c3bf2ba3ff639c250405805fd4e779894ef5360e15e081696a
  New string     : 752523eb50c3bf2ba3ff639c25 4 5805fd4e779894ef536 e15e081696a

  The returned string is missing various 0's that have been stripped by
  the hex() call :

  >>> hex(14)

  >>> int(0x0e)

  >>> int(0xe)

  >>> hex(4)

  >>> int(0x04)

  >>> int(0x4)

  The following one liner represents the current decode and encode
  steps, producing the same string as is entered :

  >>> import binascii

  Original string: 752523eb50c3bf2ba3ff639c250405805fd4e779894ef5360e15e081696a
  New string     : 752523eb50c3bf2ba3ff639c250405805fd4e779894ef5360e15e081696a

  IMHO the way to handle this is to add a simple retry in master and
  stable/newton when we fail due to a bad passphrase using the mangled

  We should also improve the testing in this area as it appears all
  previous testing used zero based passphrases, missing this issue when
  it landed in Newton.

  More notes available downstream in the following bug :

  Nova encryption alters the key used

  Steps to reproduce
  - Encrypt a volume in Mitaka or earlier.
  - Upgrade to Newton or later.
  - Attempt to use the volume.

  Expected result
  Volume is decrypted and usable.

  Actual result
  Unable to decrypt the volume due to the use of an modified passphrase during 
initial formatting and use prior to Newton.

  1. Exact version of OpenStack you are running. See the following
    list for all releases:
     Newton and later.
  2. Which hypervisor did you use?

  2. Which storage type did you use?

  3. Which networking type did you use?
     (For example: nova-network, Neutron with OpenVSwitch, ...)

  Logs & Configs

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to