[dm-crypt] Detached headers, multiple drives and UUIDs

Robert Nichols rnicholsNOSPAM at comcast.net
Mon Apr 10 20:28:14 CEST 2017


On 04/10/2017 08:25 AM, Milan Broz wrote:
> On 04/10/2017 03:07 PM, 7heo wrote:
>> Hello all,
>>
>> I have a question regarding the deported headers in LUKS, and how it
>> can be used to simplify the setup of RAID over LUKS:
>>
>> The current way to automatically unlock all the drives used in a Raid
>> array seems to be to add the same key to all the drives in the
>> array.
>>
>> However that doesn't work with detached headers for obvious reasons.
>> The detached headers can apparently be used on any number of
>> devices/files at the same time, with one problem: they all have the
>> same UUID. I tried using the --uuid flag with luksOpen without
>> success.
>
> You cannot change UUID for activated LUKS device, UUID must match the header
> (otherwise libcryptsetup cannot handle many functions).

No one is asking to change the UUID of an activated LUKS device. Let's approach this in a different way:

Is there any need for the detached header to remain available after the LUKS device has been activated? That is, could I have the detached header on a separate, removable device and, after activating the LUKS device via that header, unmount that separate device and lock it away in a safe? Would that interfere with access to the activated device or interfere with a subsequent luksClose operation? I don't see any reason why it should, since "--header" is not mentioned as an option for luksClose (and its aliases). Obviously, no _other_ LUKS operation would be possible without that header.

When I try this in CentOS 7 (cryptsetup-1.7.2-1.el7) it seems to work just fine. No, I didn't try any of the "not possible" operations.

Given that the above is possible, then why could one not modify the UUID in that detached header and use it for a different device, given that one accepts that luksClose is the only possible LUKS operation on that orphaned active device?

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.



More information about the dm-crypt mailing list