Encryption key rotation

# Encryption key rotation issue: https://github.com/rook/rook/issues/7925 ``` sh-4.4# cryptsetup luksDump /var/lib/rook/openshift-storage/ocs-deviceset-gp3-csi-1-data-0knj86/ceph-0/block-tmp - name: ocs-deviceset-gp3-csi-1-data-0knj86-bridge hostPath: path: /var/lib/rook/openshift-storage/ocs-deviceset-gp3-csi-1-data-0knj86 type: Directory ``` --- > From the top of my head, we would need: > > * Ability to configure a retention policy > * Use cronjob to create a new KEK, add it to the KEK to the LUKS slot, add it to the KMS (if any), remove the previous KEK from the slot > * We need one job for each OSD PVC > * We don't need to restart the OSD or stop it, this can be done on the fly A cronjob per encrypted OSD backed by PVC. --- ### KEK rotation logic would be as follows: | Step | Operation | Luks Slot 0 | Luks Slot 1 | Key in KMS | |:---- |:--------------------------- |:----------- |:----------- |:---------- | | 1 | Obtain K1 | K1 | | K1 | | 2 | Add K1 to slot 2 | K1 | K1 | K1 | | 3 | Create K2 & add to slot 1 | K2 | K1 | K1 | | 4 | Update K2 in KMS | K2 | K1 | K2 | | 5 | Fetch K2 from KMS to verify | K2 | K1 | K2 | | 6 | Remove K1 from slot 2 | K2 | | K2 | Note: The above steps will ensure the KEK in kms will be able to open the encrypted device even if the operation is disrupted at any step. Refer: [10 Linux cryptsetup Examples for LUKS Key Management (How to Add, Remove, Change, Reset LUKS encryption Key)](https://www.thegeekstuff.com/2016/03/cryptsetup-lukskey/) --- ### Cephcluster CR changes We can add parameters `enableKeyRotation: <true|false>` and `schedule: <cron_format, default to @weekly>` to security section of cephcluster spec here https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/Advanced/key-management-system.md. ``` security: kms: enableKeyRotation: "true" schedule: "@weekly" connectionDetails: KMS_PROVIDER: vault .... tokenSecretName: rook-vault-token ``` --- - https://askubuntu.com/questions/1319688/luks-how-can-i-add-more-password-slots-or-remove-change-a-password Getsecret: https://github.com/rook/rook/blob/master/pkg/daemon/ceph/osd/kms/kms.go#L152 OSD start: https://github.com/rook/rook/blob/master/cmd/rook/ceph/osd.go#L152 key management get: https://github.com/rook/rook/blob/master/cmd/rook/secret.go#L85 https://github.com/rook/rook/blob/master/pkg/operator/ceph/cluster/osd/osd.go openencrypted block: https://github.com/rook/rook/blob/master/pkg/operator/ceph/cluster/osd/spec.go#L172 generateEncryptionOpenBlockContainer(): https://github.com/rook/rook/blob/master/pkg/operator/ceph/cluster/osd/spec.go#L865 api types: https://github.com/rook/rook/blob/master/pkg/apis/ceph.rook.io/v1/types.go ``` [root@key-rotation-osd-0-qn8rg /]# cryptsetup luksKillSlot /var/lib/ceph/osd/ceph/block-tmp 1 Keyslot 1 is not active. ```