deteriorate performance. Thus it is advisable to avoid using RBD encryption
in cases where incoming writes cannot be guaranteed to be sector-aligned.
-To mount a LUKS-encrypted image run::
+To map a LUKS-formatted image run:
- $ rbd -p {pool-name} device map -t nbd -o encryption-format=luks,encryption-passphrase-file={passphrase-file}
+.. prompt:: bash #
+
+ rbd device map -t nbd -o encryption-passphrase-file={passphrase-file} {image-spec}
Note that for security reasons, both the encryption format and encryption load
operations are CPU-intensive, and may take a few seconds to complete. For the
sudo chmod 666 /dev/mapper/cryptsetupdev
# open encryption with librbd
- LIBRBD_DEV=$(_sudo rbd -p rbd map testimg -t nbd -o encryption-format=luks,encryption-passphrase-file=/tmp/passphrase)
+ LIBRBD_DEV=$(_sudo rbd -p rbd map testimg -t nbd -o encryption-passphrase-file=/tmp/passphrase)
sudo chmod 666 $LIBRBD_DEV
# write via librbd && compare
if [ "$expectedfail" = "true" ]
then
- expect_false rbd flatten testimg1 --encryption-format luks --encryption-passphrase-file /tmp/passphrase2
+ expect_false rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2
+ rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2 --encryption-passphrase-file /tmp/passphrase
else
- rbd flatten testimg1 --encryption-format luks --encryption-passphrase-file /tmp/passphrase2
+ rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2
fi
rbd remove testimg1
--image arg image name
--no-progress disable progress output
--encryption-format arg encryption format (luks, luks1, luks2)
+ [default: luks]
--encryption-passphrase-file arg path to file containing passphrase for
unlocking the image
--allow-shrink permit shrinking
--no-progress disable progress output
--encryption-format arg encryption format (luks, luks1, luks2)
+ [default: luks]
--encryption-passphrase-file arg path to file containing passphrase for
unlocking the image
opt->add_options()
(ENCRYPTION_FORMAT.c_str(),
po::value<std::vector<EncryptionFormat>>(),
- "encryption format (luks, luks1, luks2)");
+ "encryption format (luks, luks1, luks2) [default: luks]");
opt->add_options()
(ENCRYPTION_PASSPHRASE_FILE.c_str(),
std::vector<at::EncryptionFormat> formats;
if (vm.count(at::ENCRYPTION_FORMAT)) {
formats = vm[at::ENCRYPTION_FORMAT].as<decltype(formats)>();
+ } else if (vm.count(at::ENCRYPTION_PASSPHRASE_FILE)) {
+ formats.resize(passphrase_files.size(),
+ at::EncryptionFormat{RBD_ENCRYPTION_FORMAT_LUKS});
}
if (formats.size() != passphrase_files.size()) {
<< "Map and attach options:\n"
<< " --device <device path> Specify nbd device path (/dev/nbd{num})\n"
<< " --encryption-format luks|luks1|luks2\n"
- << " Image encryption format\n"
+ << " Image encryption format (default: luks)\n"
<< " --encryption-passphrase-file Path of file containing passphrase for unlocking image encryption\n"
<< " --exclusive Forbid writes by other clients\n"
<< " --notrim Turn off trim/discard\n"
}
}
+ if (cfg->encryption_formats.empty() &&
+ !cfg->encryption_passphrase_files.empty()) {
+ cfg->encryption_formats.resize(cfg->encryption_passphrase_files.size(),
+ RBD_ENCRYPTION_FORMAT_LUKS);
+ }
+
if (cfg->encryption_formats.size() != cfg->encryption_passphrase_files.size()) {
*err_msg << "rbd-nbd: Encryption formats count does not match "
<< "passphrase files count";
projects / ceph.git / commitdiff