Bug 1083827 - YaST storage-ng: Encryption is not kept when adding a volume to LVM
YaST storage-ng: Encryption is not kept when adding a volume to LVM
Status: RESOLVED WORKSFORME
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Development
Current
x86-64 Other
: P5 - None : Normal (vote)
: ---
Assigned To: E-mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-03 02:43 UTC by Marc collin
Modified: 2018-03-22 10:50 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Screenshot showing successful encrypted LVM creation (88.41 KB, image/png)
2018-03-20 04:02 UTC, Neil Rickert
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc collin 2018-03-03 02:43:22 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Build Identifier: 

i have a 1 tb ssd.
during installation suggestion with guided setup: with lvm, encryption, snapshot is
500 meg for boot efi
65 gig for lvm physial volume
25 for home (logical volume)
40 for root (logical volume)

don't know why 65 gig as lvm physical volume, should be rest of the disk...


if i starth with this (current proposal), delete 65 gig because if i try to resize, that said me: the deive is in use...

so i delete it create a new one, choose encryption.

When i go in volume management (Add volume groupd)
i choose encrypted lvm in the available device, click add, on the other size, selected devices is not encrypted...

Reproducible: Always

Steps to Reproduce:
1.in the partition choose guided tour, choose, lvm, encryption and snapshot
2. delete partition, create a new one (encrypted)
3. try to add a volume group
Actual Results:  
encryption is removed

Expected Results:  
encryption is keep
Comment 1 Marc collin 2018-03-03 03:03:56 UTC
video of the issue
https://youtu.be/SEUhFTncKwQ
Comment 2 Neil Rickert 2018-03-03 15:11:56 UTC
I think there is an existing bug report for the encryted LVM not using the entire disk.  I'm not sure of the bug number and haven't searched.

As for the main issue of your bug report -- I think it is just a matter of being a bit confused.  And the partitioner is confusing about this.

You can have an encrypted LVM (which you did try to setup).
And then you can separately encrypt an individual volume within that LVM.  That would be double encryption, and serves no useful purpose.

When you were seeing that the volume in the LVM was not encrypted, you were seeing only that it doesn't have that second layer of encryption.  The LVM itself still exists on encrypted disk space, so there is no need for that second layer of encryption.
Comment 3 Marc collin 2018-03-03 18:56:08 UTC
(In reply to Neil Rickert from comment #2)
> I think there is an existing bug report for the encryted LVM not using the
> entire disk.  I'm not sure of the bug number and haven't searched.
> 
> As for the main issue of your bug report -- I think it is just a matter of
> being a bit confused.  And the partitioner is confusing about this.
> 
> You can have an encrypted LVM (which you did try to setup).
> And then you can separately encrypt an individual volume within that LVM. 
> That would be double encryption, and serves no useful purpose.

is not what i try to do...

> When you were seeing that the volume in the LVM was not encrypted, you were
> seeing only that it doesn't have that second layer of encryption.  The LVM
> itself still exists on encrypted disk space, so there is no need for that
> second layer of encryption.

don't think so, because i go to 

https://pasteboard.co/HadNvKr.png 
we see the encrypted picture...

when i click to add 
https://pasteboard.co/HadNXQa.png

encrypted picture is not there... because i done this operation... i can add root, home (and decide to encrypt them too)...

if i click on sda 2 disk.. encryption is not there anymore

asked to a friend and got the same issue

happen only if we don't choose default config (65 gig too low for me)

https://pasteboard.co/HadNvKr.png
Comment 4 Marc collin 2018-03-03 19:15:30 UTC
commit ecc721a7e81f923c5a6c407640383e85fb34477b
Author: Imobach González Sosa <imobachgs@gmail.com>
Date:   Tue Feb 27 11:36:10 2018 +0000


    Do not remove encryption when adding a device to an VG (#550)
    
    * Do not remove encryption when adding a device to an VG
    * Bump version and update changes file

is the release i used... but that don't seem fixed...
Comment 5 Marc collin 2018-03-03 19:25:28 UTC
bug about size is: bug 966870
Comment 6 Neil Rickert 2018-03-03 20:32:44 UTC
I can now confirm this bug.

I attempted an install with Tumbleweed 20180301.  I set "/dev/sda2" to be raw disk space, and set that partition to be encrypted.

I then went through LVM creation, with root, swap and home volumes.  And, when done, the partitioning summary did not show the partition as encrypted.  It seems that the encryption is lost.

This used to work with the old partitioner.  Apparently, it no longer works with the new partitioner.
Comment 7 Marc collin 2018-03-05 22:31:07 UTC
maybe snapshot need to be check... possible it's lost too...
Comment 8 Stefan Hundhammer 2018-03-19 15:20:55 UTC
(In reply to Neil Rickert from comment #2)
> I think there is an existing bug report for the encryted LVM not using the
> entire disk.

IIRC this is a feature that can be configured by the release manager in the control file. Back years ago this was explicitly requested because with LVM you can always add more space later. I personally wouldn't do this, but it was requested like this.
Comment 9 Stefan Hundhammer 2018-03-19 15:24:21 UTC
Marc: Please notice that you can make screenshots in YaST with the [PrintScreen] key:

https://en.opensuse.org/SDB:YaST_tricks#YaST_Hotkeys

But what we really would have needed here are y2logs; otherwise we can't do much about this.

Also, did you check in the "device graph" in the expert partitioner what was really created? It should show an encryption layer somewhere, probably on the LVM PV (physical volume).
Comment 10 Stefan Hundhammer 2018-03-19 15:29:50 UTC
I just asked our QA guys, and they say they never saw this before; and this is one area that they are thoroughly testing (LVM with and without encryption in all kinds of combinations). So please add more information - y2logs and preferably a screenshot of the device graph in the partitioner.
Comment 11 Marc collin 2018-03-20 00:01:05 UTC
don't have this information.
i used gparted to fix this issue.

on irc, it seem i'm not alone... and it seem every body want encrypted hd without using default config have this issue.
Comment 12 Neil Rickert 2018-03-20 04:02:42 UTC
Created attachment 764179 [details]
Screenshot showing successful encrypted LVM creation

I originally confirmed this bug (comment #6 above), using Tumbleweed 20180301.

Today, I attempt to document the problem, using Leap 15.0 Build 168.1 .  However, everything worked properly this time.  So it looks as if the bug has been fixed since then.

The screenshot is the final summary screen showing the partitioning.  You can see that I did this manually, because I created a "/boot", which the defaults do not do.  And I used a smaller EFI partition (256K).

This was done with a newly created KVM virtual machine.  I completed the install with the KDE desktop.  The newly installed system booted correctly, asking for the encryption key during boot.

I will keep that VM around for a week or two, in case you need logs.  But I think you can just mark this as fixed.
Comment 13 Stefan Hundhammer 2018-03-22 10:50:32 UTC
OK then; for the time being, no y2logs, doesn't seem to be reproducable with reasonable effort -> closing.

If anybody can reproduce this and provide y2logs, feel free to reopen.

But as I wrote: This is an area that is extensively tested in-house by our QA, and we haven't seen any bug reports about it from them (which would include y2logs and screenshots etc. which would give us a chance to track this down).