Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zdb -O fails for encrypted datasets #11551

Closed
w1kl4s opened this issue Jan 30, 2021 · 4 comments · Fixed by #14503
Closed

zdb -O fails for encrypted datasets #11551

w1kl4s opened this issue Jan 30, 2021 · 4 comments · Fixed by #14503
Labels
Bot: Not Stale Override for the stale bot Type: Defect Incorrect behavior (e.g. crash, hang)

Comments

@w1kl4s
Copy link

w1kl4s commented Jan 30, 2021

System information

Type Version/Name
Distribution Name Void Linux
Distribution Version rolling
Linux Kernel 5.10.10_1
Architecture x86_64
ZFS Version 2.0.1-1
SPL Version 2.0.1-1

Describe the problem you're observing

command zdb -O fails for encrypted datasets with Permission denied error

Describe how to reproduce the problem

➜  ~ whoami
root
➜  ~ mkdir /mnt/testpool
➜  ~ dd if=/dev/zero of=/tmp/zpooltest.img bs=4M count=256
256+0 records in
256+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 0.302311 s, 3.6 GB/s
➜  ~ zpool create testpool /tmp/zpooltest.img    
➜  ~ zfs create testpool/unencrypted -o mountpoint=/mnt/testpool/unencrypted
➜  ~ zfs create testpool/encrypted -o mountpoint=/mnt/testpool/encrypted -o encryption=aes-256-gcm -o keyformat=passphrase
Enter passphrase:
Re-enter passphrase:
➜  ~ 
➜  ~ touch /mnt/testpool/unencrypted/test
➜  ~ touch /mnt/testpool/encrypted/test
➜  ~ zdb -O testpool/unencrypted test 

    Object  lvl   iblk   dblk  dsize  dnsize  lsize   %full  type
         2    1   128K    512      0     512    512    0.00  ZFS plain file
➜  ~ zdb -O testpool/encrypted test  
failed to lookup dataset=testpool/encrypted path=/test: Permission denied

Include any warning/errors/backtraces from the system logs

None observed.
@w1kl4s w1kl4s added Status: Triage Needed New issue which needs to be triaged Type: Defect Incorrect behavior (e.g. crash, hang) labels Jan 30, 2021
@mhosken
Copy link

mhosken commented Aug 11, 2021
edited
Loading

I concur. Makes it tricky to use zdb -O at all on an encrypted pool. zfs-2.0.2-1ubuntu5 zfs-kmod-2.0.3-8ubuntu6

@putnam
Copy link

putnam commented Nov 1, 2021
edited
Loading

Still occurs on 2.0.6 and 2.0.8. I'm surprised nobody has had the need to debug encrypted datasets in this way.

However, you can always mount the dataset and get the object number / inode with ls -i PATH and then call zdb -ddd NUM which I think is effectively the same thing.

@fryfrog
Copy link

fryfrog commented Nov 1, 2021

And just to add a little more, it also still occurs on 2.1.1.

@stale
Copy link

stale bot commented Nov 1, 2022

This issue has been automatically marked as "stale" because it has not had any activity for a while. It will be closed in 90 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the Status: Stale No recent activity for issue label Nov 1, 2022
@behlendorf behlendorf added Bot: Not Stale Override for the stale bot and removed Status: Stale No recent activity for issue Status: Triage Needed New issue which needs to be triaged labels Nov 1, 2022
@robn robn mentioned this issue Feb 17, 2023
Merged
13 tasks
behlendorf pushed a commit that referenced this issue Mar 2, 2023
@robn
zdb: add decryption support
163f3d3 
The approach is straightforward: for dataset ops, if a key was offered,
find the encryption root and the various encryption parameters, derive a
wrapping key if necessary, and then unlock the encryption root. After
that all the regular dataset ops will return unencrypted data, and
that's kinda the whole thing.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Rob Norris <robn@despairlabs.com>
Closes #11551
Closes #12707
Closes #14503
lundman pushed a commit to openzfsonwindows/openzfs that referenced this issue Mar 3, 2023
@robn @lundman
zdb: add decryption support
619458f 
The approach is straightforward: for dataset ops, if a key was offered,
find the encryption root and the various encryption parameters, derive a
wrapping key if necessary, and then unlock the encryption root. After
that all the regular dataset ops will return unencrypted data, and
that's kinda the whole thing.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Rob Norris <robn@despairlabs.com>
Closes openzfs#11551
Closes openzfs#12707
Closes openzfs#14503
pcd1193182 pushed a commit to pcd1193182/zfs that referenced this issue Sep 26, 2023
@robn @sdimitro
zdb: add decryption support
b41fafa 
The approach is straightforward: for dataset ops, if a key was offered,
find the encryption root and the various encryption parameters, derive a
wrapping key if necessary, and then unlock the encryption root. After
that all the regular dataset ops will return unencrypted data, and
that's kinda the whole thing.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Rob Norris <robn@despairlabs.com>
Closes openzfs#11551
Closes openzfs#12707
Closes openzfs#14503
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bot: Not Stale Override for the stale bot Type: Defect Incorrect behavior (e.g. crash, hang)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

zdb: add decryption support robn/zfs
5 participants
@putnam @fryfrog @behlendorf @mhosken @w1kl4s