From 36ee8b2240e6d5413c17aabe5886a237ff81e18a Mon Sep 17 00:00:00 2001 From: Humble Chirammal Date: Fri, 9 Oct 2020 11:14:09 +0530 Subject: [PATCH] rbd: make sure csi rbd pv encryption defaulting to luks2 version Fixes: #https://github.com/ceph/ceph-csi/issues/1564 As per release notes this new version is compatible with previous version of LUKS. https://www.saout.de/pipermail/dm-crypt/2017-December/005771.html Signed-off-by: Humble Chirammal --- docs/design/proposals/encrypted-pvc.md | 2 +- internal/util/cryptsetup.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/design/proposals/encrypted-pvc.md b/docs/design/proposals/encrypted-pvc.md index 2178322e0..21bc75013 100644 --- a/docs/design/proposals/encrypted-pvc.md +++ b/docs/design/proposals/encrypted-pvc.md @@ -3,7 +3,7 @@ ## Proposal Subject of this proposal is to add support for encryption of RBD volumes in -Ceph-CSI. +Ceph-CSI with type LUKS version 2. Some but not all the benefits of this approach: diff --git a/internal/util/cryptsetup.go b/internal/util/cryptsetup.go index 08d7543db..a7c27f362 100644 --- a/internal/util/cryptsetup.go +++ b/internal/util/cryptsetup.go @@ -25,7 +25,7 @@ import ( // LuksFormat sets up volume as an encrypted LUKS partition. func LuksFormat(devicePath, passphrase string) (stdout, stderr []byte, err error) { - return execCryptsetupCommand(&passphrase, "-q", "luksFormat", "--hash", "sha256", devicePath, "-d", "/dev/stdin") + return execCryptsetupCommand(&passphrase, "-q", "luksFormat", "--type", "luks2", "--hash", "sha256", devicePath, "-d", "/dev/stdin") } // LuksOpen opens LUKS encrypted partition and sets up a mapping.