def _decrypt_block_device(args, client, config): """Open a LUKS/dm-crypt encrypted block device The devices dm-crypt key is retrieved from Vault :param: args: argparser generated cli arguments :param: client: hvac.Client for Vault access :param: config: configparser object of vaultlocker config """ block_device, block_uuid = _resolve_device(args.device[0]) if _device_exists(block_uuid): logger.info('Skipping setup of {} because ' 'it already exists.'.format(block_uuid)) return vault_path = _get_vault_path(block_uuid, config) stored_data = client.read(vault_path) if stored_data is None: raise ValueError('Unable to locate key for {}'.format(block_uuid)) key = stored_data['data']['dmcrypt_key'] dmcrypt.luks_open(key, block_uuid)
def _encrypt_block_device(args, client, config): """Encrypt and open a block device Stores the dm-crypt key direct in vault :param: args: argparser generated cli arguments :param: client: hvac.Client for Vault access :param: config: configparser object of vaultlocker config """ block_device = args.block_device[0] key = dmcrypt.generate_key() block_uuid = str(uuid.uuid4()) if not args.uuid else args.uuid vault_path = _get_vault_path(block_uuid, config) # NOTE: store and validate key before trying to encrypt disk try: client.write(vault_path, dmcrypt_key=key) except hvac.exceptions.VaultError as write_error: logger.error( 'Vault write to path {}. Failed with error: {}'.format( vault_path, write_error)) raise exceptions.VaultWriteError(vault_path, write_error) try: stored_data = client.read(vault_path) except hvac.exceptions.VaultError as read_error: logger.error('Vault access to path {}' 'failed with error: {}'.format(vault_path, read_error)) raise exceptions.VaultReadError(vault_path, read_error) if not key == stored_data['data']['dmcrypt_key']: raise exceptions.VaultKeyMismatch(vault_path) # All function calls within try/catch raise a CalledProcessError # if return code is non-zero # This way if any of the calls fail, the key can be removed from vault try: dmcrypt.luks_format(key, block_device, block_uuid) # Ensure sym link for new encrypted device is created # LP Bug #1780332 dmcrypt.udevadm_rescan(block_device) dmcrypt.udevadm_settle(block_uuid) dmcrypt.luks_open(key, block_uuid) except subprocess.CalledProcessError as luks_error: logger.error( 'LUKS formatting {} failed with error code: {}\n' 'LUKS output: {}'.format( block_device, luks_error.returncode, luks_error.output)) try: client.delete(vault_path) except hvac.exceptions.VaultError as del_error: raise exceptions.VaultDeleteError(vault_path, del_error) raise exceptions.LUKSFailure(block_device, luks_error.output) systemd.enable('vaultlocker-decrypt@{}.service'.format(block_uuid))
def _encrypt_block_device(args, client, config): """Encrypt and open a block device Stores the dm-crypt key direct in vault :param: args: argparser generated cli arguments :param: client: hvac.Client for Vault access :param: config: configparser object of vaultlocker config """ block_device = args.block_device[0] key = dmcrypt.generate_key() block_uuid = str(uuid.uuid4()) if not args.uuid else args.uuid vault_path = _get_vault_path(block_uuid, config) dmcrypt.luks_format(key, block_device, block_uuid) # Ensure sym link for new encrypted device is created # LP Bug #1780332 dmcrypt.udevadm_rescan(block_device) dmcrypt.udevadm_settle(block_uuid) # NOTE: store and validate key client.write(vault_path, dmcrypt_key=key) stored_data = client.read(vault_path) assert key == stored_data['data']['dmcrypt_key'] dmcrypt.luks_open(key, block_uuid) systemd.enable('vaultlocker-decrypt@{}.service'.format(block_uuid))
def test_luks_open(self, _subprocess): dmcrypt.luks_open('mykey', 'test-uuid') _subprocess.check_output.assert_called_once_with( [ 'cryptsetup', '--batch-mode', '--key-file', '-', 'open', 'UUID=test-uuid', 'crypt-test-uuid', '--type', 'luks' ], input='mykey'.encode('UTF-8'))
def _decrypt_block_device(args, client, config): """Open a LUKS/dm-crypt encrypted block device The devices dm-crypt key is retrieved from Vault :param: args: argparser generated cli arguments :param: client: hvac.Client for Vault access :param: config: configparser object of vaultlocker config """ block_uuid = args.uuid[0] vault_path = _get_vault_path(block_uuid, config) stored_data = client.read(vault_path) if stored_data is None: raise ValueError('Unable to locate key for {}'.format(block_uuid)) key = stored_data['data']['dmcrypt_key'] dmcrypt.luks_open(key, block_uuid)
def _decrypt_block_device(args, client, config): """Open a LUKS/dm-crypt encrypted block device The devices dm-crypt key is retrieved from Vault :param: args: argparser generated cli arguments :param: client: hvac.Client for Vault access :param: config: configparser object of vaultlocker config """ block_uuid = args.uuid[0] if _device_exists(block_uuid): logger.info('Skipping setup of {} because ' 'it already exists.'.format(block_uuid)) return vault_path = _get_vault_path(block_uuid, config) stored_data = _vault_kv_read(client, config, vault_path) key = stored_data['data']['dmcrypt_key'] dmcrypt.luks_open(key, block_uuid)