Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zdb: add decryption support #14503

Merged
merged 3 commits into from
Mar 2, 2023
Merged

zdb: add decryption support #14503

merged 3 commits into from
Mar 2, 2023

Conversation

robn
Copy link
Member

@robn robn commented Feb 17, 2023

The approach is straightforward: for dataset ops, if a key was offered, find the encryption root and the various encryption parameters, derive a wrapping key if necessary, and then unlock the encryption root. After that all the regular dataset ops will return unencrypted data, and that's kinda the whole thing.

Resolves #11551, resolves #12707.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Performance enhancement (non-breaking change which improves efficiency)
  • Code cleanup (non-breaking change which makes code smaller or more readable)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
  • Documentation (a change to man pages or other documentation)

Checklist:

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2023
View reviewed changes
cmd/zdb/zdb.c Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2023
View reviewed changes
cmd/zdb/zdb.c Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2023
View reviewed changes
cmd/zdb/zdb.c Fixed Show fixed Hide fixed
@robn robn force-pushed the zdb-decrypt branch 2 times, most recently from 2369909 to a68e62f Compare February 17, 2023 22:09
lundman
lundman approved these changes Feb 17, 2023
View reviewed changes
Copy link
Contributor

@lundman lundman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After the key stuff, the changes turn out quite small, very nice.

cmd/zdb/zdb.c Show resolved Hide resolved
cmd/zdb/Makefile.am Show resolved Hide resolved
@robn
Copy link
Member Author

robn commented Feb 27, 2023

@behlendorf for your consideration, thanks.

behlendorf
behlendorf approved these changes Feb 27, 2023
View reviewed changes
Copy link
Contributor

@behlendorf behlendorf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this functionality, just a couple comments.

cmd/zdb/zdb.c Outdated Show resolved Hide resolved
cmd/zdb/zdb.c Outdated Show resolved Hide resolved
@behlendorf behlendorf added Status: Code Review Needed Ready for review and testing Status: Accepted Ready to integrate (reviewed, tested) and removed Status: Code Review Needed Ready for review and testing labels Feb 27, 2023
robn added 3 commits March 2, 2023 22:50
@robn
zdb: add decryption support
86f781a 
The approach is straightforward: for dataset ops, if a key was offered,
find the encryption root and the various encryption parameters, derive a
wrapping key if necessary, and then unlock the encryption root. After
that all the regular dataset ops will return unencrypted data, and
that's kinda the whole thing.

Signed-off-by: Rob Norris <robn@despairlabs.com>
@robn
zdb: add VERIFY0 checks around encryption setup calls
e4859d6 
We're assuming that a lot of stuff is set up right in order for key
loading to every be possible. That's ok for zdb, but we should at least
mark where we're making that assumption so its obvious what's happening
when it does blow up.

Signed-off-by: Rob Norris <robn@despairlabs.com>
@robn
tests: add test for zdb encryption support
242e6c7 
Signed-off-by: Rob Norris <robn@despairlabs.com>
@behlendorf behlendorf merged commit 163f3d3 into openzfs:master Mar 2, 2023
@robn robn deleted the zdb-decrypt branch March 3, 2023 03:54
lundman pushed a commit to openzfsonwindows/openzfs that referenced this pull request Mar 3, 2023
@robn @lundman
zdb: add decryption support
619458f 
The approach is straightforward: for dataset ops, if a key was offered,
find the encryption root and the various encryption parameters, derive a
wrapping key if necessary, and then unlock the encryption root. After
that all the regular dataset ops will return unencrypted data, and
that's kinda the whole thing.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Rob Norris <robn@despairlabs.com>
Closes openzfs#11551
Closes openzfs#12707
Closes openzfs#14503
pcd1193182 pushed a commit to pcd1193182/zfs that referenced this pull request Sep 26, 2023
@robn @sdimitro
zdb: add decryption support
b41fafa 
The approach is straightforward: for dataset ops, if a key was offered,
find the encryption root and the various encryption parameters, derive a
wrapping key if necessary, and then unlock the encryption root. After
that all the regular dataset ops will return unencrypted data, and
that's kinda the whole thing.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Rob Norris <robn@despairlabs.com>
Closes openzfs#11551
Closes openzfs#12707
Closes openzfs#14503
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behlendorf behlendorf behlendorf approved these changes

@lundman lundman lundman approved these changes

Assignees
No one assigned
Labels
Status: Accepted Ready to integrate (reviewed, tested)
Projects
None yet
Milestone
No milestone
3 participants
@robn @behlendorf @lundman