Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-15767

If the user regain access to the encrypted directory from another client, the contents of the files will be deleted

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Major
    • None
    • Lustre 2.15.0
    • 3
    • 9223372036854775807

    Description

      On Client 1:

       

      # fscrypt setup
Defaulting to policy_version 1 because kernel doesn't support v2.
Customizing passphrase hashing difficulty for this system...
Created global config file at "/etc/fscrypt.conf".
Metadata directories created at "/.fscrypt".
[root@trevis-90vm4 ~]# fscrypt setup /mnt/lustre
Metadata directories created at "/mnt/lustre/.fscrypt".
Change in /etc/fscrypt.conf policy_version field from 1 to 2

      On Client 2:

       

      # fscrypt setup
Defaulting to policy_version 1 because kernel doesn't support v2.
Customizing passphrase hashing difficulty for this system...
Created global config file at "/etc/fscrypt.conf".
Metadata directories created at "/.fscrypt".
Change in /etc/fscrypt.conf policy_version field from 1 to 2

       

       

      On Client 1:

       

      # mkdir /mnt/lustre/private
# ls -la  /mnt/lustre/
total 16
drwxr-xr-x  5 root root 4096 Apr 20 12:37 .
drwxr-xr-x. 3 root root 4096 Mar  1 02:01 ..
drwxr-xr-x  4 root root 4096 Apr 20 08:41 .fscrypt
drwxr-xr-x  2 root root 4096 Apr 20 12:37 private

       

       

      On Client 2:

       

      [root@trevis-90vm5 ~]# ls -la  /mnt/lustre/
total 16
drwxr-xr-x  5 root root 4096 Apr 20 12:37 .
drwxr-xr-x. 3 root root 4096 Mar  1 02:01 ..
drwxr-xr-x  4 root root 4096 Apr 20 08:41 .fscrypt
drwxr-xr-x  2 root root 4096 Apr 20 12:37 private

       

       

      On Client 1:

       

      # fscrypt encrypt /mnt/lustre/private
The following protector sources are available:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 2
Enter a name for the new protector: shield
Enter custom passphrase for protector "shield":
Confirm passphrase:
"/mnt/lustre/private" is now encrypted, unlocked, and ready for use.

# echo "encrypt data" > /mnt/lustre/private/encrypt_file1
# echo "encrypt data" > /mnt/lustre/private/encrypt_file2

# ls -la /mnt/lustre/private
total 8
drwx------ 2 root root 4096 Apr 20 12:42 .
drwxr-xr-x 5 root root 4096 Apr 20 12:37 ..
-rw-r--r-- 1 root root    0 Apr 20 12:42 encrypt_file1
-rw-r--r-- 1 root root    0 Apr 20 12:42 encrypt_file2

# cat /mnt/lustre/private/encrypt_file1
encrypt data
# cat /mnt/lustre/private/encrypt_file2
encrypt data

       

       

      On Client 2:

      # ls -la /mnt/lustre/private/
total 8
drwx------ 2 root root 4096 Apr 20 12:42 .
drwxr-xr-x 5 root root 4096 Apr 20 12:37 ..
-rw-r--r-- 1 root root    0 Apr 20 12:42 1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC
-rw-r--r-- 1 root root    0 Apr 20 12:42 piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B
  

# cat /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC
cat: /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC: Required key not available
# cat /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B
cat: /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B: Required key not available


# echo "new data" > /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC
-bash: /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC: Required key not available
# echo "new data" > /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B
-bash: /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B: Required key not available

       

      On Client 2:

      # fscrypt unlock /mnt/lustre/private
Enter custom passphrase for protector "shield":
"/mnt/lustre/private" is now unlocked and ready for use.

       

      After that the file size is 0

      On Client 1:

      # ls -la /mnt/lustre/private/
total 8
drwx------ 2 root root 4096 Apr 20 12:42 .
drwxr-xr-x 6 root root 4096 Apr 20 13:00 ..
-rw-r--r-- 1 root root    0 Apr 20 12:42 encrypt_file1
-rw-r--r-- 1 root root    0 Apr 20 12:42 encrypt_file2

# cat /mnt/lustre/private/encrypt_file1
# cat /mnt/lustre/private/encrypt_file2

       

      On Client 2:

      # ls -la /mnt/lustre/private/
total 8
drwx------ 2 root root 4096 Apr 20 12:42 .
drwxr-xr-x 6 root root 4096 Apr 20 13:00 ..
-rw-r--r-- 1 root root    0 Apr 20 12:42 encrypt_file1
-rw-r--r-- 1 root root    0 Apr 20 12:42 encrypt_file2

# cat /mnt/lustre/private/encrypt_file1 
# cat /mnt/lustre/private/encrypt_file2

       

       

       

      This is the first encrypted directory on this file system.

      With all the following encrypted directories, the bug could not be repeated.

       

       

       

       

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-15787 clients built without encryption support can corrupt encrypted directories

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved
          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              sebastien Sebastien Buisson
              okulachenko Oleg Kulachenko (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: