Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

initializer/cryptsetup: rework bash entrypoint #1140

Open
wants to merge 1 commit into
base: cryptsetup/initializer/basic
Choose a base branch
from
Open

initializer/cryptsetup: rework bash entrypoint #1140

wants to merge 1 commit into from

Conversation

jmxnzo
Copy link
Contributor

@jmxnzo jmxnzo commented Jan 10, 2025
edited
Loading

Similarly to #1161 , this PR serves as a preliminary step toward moving cryptsetup to a subcommand of the initializer binary. Before translating the Bash entrypoint (used in the initializer binary after merging #1161) into Go code, the script was reworked to allow a cleaner integration of the volume encryption.
There were a few peculiarities in the cryptsetup LUKS standardization that have not been fully addressed in the current version of the entrypoint:

  • key is equivalent to passphrase (see the LUKS EXTENSION section in the cryptsetup manual).
  • When using the --key-file flag with cryptsetup, the file's contents are unexpectedly treated as a passphrase rather than a cryptographic key.
  • Using the keyfile as passphrase won't result in higher entropy of the encryption key. As a result, we can directly use the workload secret and UUID without performing key derivation, because there is no straightforward way to avoid the built-in PBKDF for LUKS in cryptsetup.

e2e/volumestatefulset: https://github.com/edgelesssys/contrast/actions/runs/12764474415/job/35576714135

@jmxnzo jmxnzo added the no changelog PRs not listed in the release notes label Jan 10, 2025
@jmxnzo jmxnzo force-pushed the cryptsetup/initializer/rework-bash branch from 8c985ab to 5ad4898 Compare January 13, 2025 13:21
@jmxnzo jmxnzo changed the base branch from main to cryptsetup/initializer/basic January 14, 2025 09:46
Base automatically changed from cryptsetup/initializer/basic to main January 14, 2025 11:51
@jmxnzo jmxnzo mentioned this pull request Jan 14, 2025
Open
@jmxnzo jmxnzo force-pushed the cryptsetup/initializer/rework-bash branch 2 times, most recently from 06f59f8 to eddd6bc Compare January 16, 2025 15:38
@jmxnzo jmxnzo changed the base branch from main to cryptsetup/initializer/basic January 16, 2025 15:40
@jmxnzo jmxnzo marked this pull request as ready for review January 16, 2025 15:40
@jmxnzo jmxnzo changed the title initializer.cryptsetup: rework bash entrypoint initializer/cryptsetup: rework bash entrypoint Jan 16, 2025
@jmxnzo jmxnzo force-pushed the cryptsetup/initializer/rework-bash branch from eddd6bc to 5e7c79c Compare January 16, 2025 15:47
@jmxnzo
initializer/cryptsetup: rework bash entrypoint + debug
ec4f47e 
initializer/cryptsetup: drop debug logs
@jmxnzo jmxnzo force-pushed the cryptsetup/initializer/rework-bash branch from 5e7c79c to ec4f47e Compare January 16, 2025 15:48
@jmxnzo jmxnzo requested a review from burgerdev January 17, 2025 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev Awaiting requested review from burgerdev

Assignees
No one assigned
Labels
no changelog PRs not listed in the release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jmxnzo