diff --git a/internal/util/crypto.go b/internal/util/crypto.go index d04ab2cf7..7f30879ea 100644 --- a/internal/util/crypto.go +++ b/internal/util/crypto.go @@ -196,20 +196,21 @@ func VolumeMapper(volumeID string) (mapperFile, mapperFilePath string) { // EncryptVolume encrypts provided device with LUKS. func EncryptVolume(ctx context.Context, devicePath, passphrase string) error { - log.DebugLog(ctx, "Encrypting device %s with LUKS", devicePath) - if _, _, err := LuksFormat(devicePath, passphrase); err != nil { - return fmt.Errorf("failed to encrypt device %s with LUKS: %w", devicePath, err) + log.DebugLog(ctx, "Encrypting device %q with LUKS", devicePath) + _, stdErr, err := LuksFormat(devicePath, passphrase) + if err != nil || stdErr != "" { + log.ErrorLog(ctx, "failed to encrypt device %q with LUKS (%v): %s", devicePath, err, stdErr) } - return nil + return err } // OpenEncryptedVolume opens volume so that it can be used by the client. func OpenEncryptedVolume(ctx context.Context, devicePath, mapperFile, passphrase string) error { - log.DebugLog(ctx, "Opening device %s with LUKS on %s", devicePath, mapperFile) - _, stderr, err := LuksOpen(devicePath, mapperFile, passphrase) - if err != nil { - log.ErrorLog(ctx, "failed to open LUKS device %q: %s", devicePath, stderr) + log.DebugLog(ctx, "Opening device %q with LUKS on %q", devicePath, mapperFile) + _, stdErr, err := LuksOpen(devicePath, mapperFile, passphrase) + if err != nil || stdErr != "" { + log.ErrorLog(ctx, "failed to open device %q (%v): %s", devicePath, err, stdErr) } return err @@ -217,10 +218,10 @@ func OpenEncryptedVolume(ctx context.Context, devicePath, mapperFile, passphrase // ResizeEncryptedVolume resizes encrypted volume so that it can be used by the client. func ResizeEncryptedVolume(ctx context.Context, mapperFile string) error { - log.DebugLog(ctx, "Resizing LUKS device %s", mapperFile) - _, stderr, err := LuksResize(mapperFile) - if err != nil { - log.ErrorLog(ctx, "failed to resize LUKS device %s: %s", mapperFile, stderr) + log.DebugLog(ctx, "Resizing LUKS device %q", mapperFile) + _, stdErr, err := LuksResize(mapperFile) + if err != nil || stdErr != "" { + log.ErrorLog(ctx, "failed to resize LUKS device %q (%v): %s", mapperFile, err, stdErr) } return err @@ -228,8 +229,11 @@ func ResizeEncryptedVolume(ctx context.Context, mapperFile string) error { // CloseEncryptedVolume closes encrypted volume so it can be detached. func CloseEncryptedVolume(ctx context.Context, mapperFile string) error { - log.DebugLog(ctx, "Closing LUKS device %s", mapperFile) - _, _, err := LuksClose(mapperFile) + log.DebugLog(ctx, "Closing LUKS device %q", mapperFile) + _, stdErr, err := LuksClose(mapperFile) + if err != nil || stdErr != "" { + log.ErrorLog(ctx, "failed to close LUKS device %q (%v): %s", mapperFile, err, stdErr) + } return err } @@ -249,13 +253,13 @@ func DeviceEncryptionStatus(ctx context.Context, devicePath string) (mappedDevic return devicePath, "", nil } mapPath := strings.TrimPrefix(devicePath, mapperFilePathPrefix+"/") - stdout, _, err := LuksStatus(mapPath) - if err != nil { - log.DebugLog(ctx, "device %s is not an active LUKS device: %v", devicePath, err) + stdout, stdErr, err := LuksStatus(mapPath) + if err != nil || stdErr != "" { + log.DebugLog(ctx, "%q is not an active LUKS device (%v): %s", devicePath, err, stdErr) return devicePath, "", nil } - lines := strings.Split(string(stdout), "\n") + lines := strings.Split(stdout, "\n") if len(lines) < 1 { return "", "", fmt.Errorf("device encryption status returned no stdout for %s", devicePath) } diff --git a/internal/util/cryptsetup.go b/internal/util/cryptsetup.go index ce9e4f018..f9677f743 100644 --- a/internal/util/cryptsetup.go +++ b/internal/util/cryptsetup.go @@ -24,7 +24,7 @@ import ( ) // LuksFormat sets up volume as an encrypted LUKS partition. -func LuksFormat(devicePath, passphrase string) (stdout, stderr []byte, err error) { +func LuksFormat(devicePath, passphrase string) (string, string, error) { return execCryptsetupCommand( &passphrase, "-q", @@ -39,28 +39,28 @@ func LuksFormat(devicePath, passphrase string) (stdout, stderr []byte, err error } // LuksOpen opens LUKS encrypted partition and sets up a mapping. -func LuksOpen(devicePath, mapperFile, passphrase string) (stdout, stderr []byte, err error) { +func LuksOpen(devicePath, mapperFile, passphrase string) (string, string, error) { // cryptsetup option --disable-keyring (introduced with cryptsetup v2.0.0) // will be ignored with luks1 return execCryptsetupCommand(&passphrase, "luksOpen", devicePath, mapperFile, "--disable-keyring", "-d", "/dev/stdin") } // LuksResize resizes LUKS encrypted partition. -func LuksResize(mapperFile string) (stdout, stderr []byte, err error) { +func LuksResize(mapperFile string) (string, string, error) { return execCryptsetupCommand(nil, "resize", mapperFile) } // LuksClose removes existing mapping. -func LuksClose(mapperFile string) (stdout, stderr []byte, err error) { +func LuksClose(mapperFile string) (string, string, error) { return execCryptsetupCommand(nil, "luksClose", mapperFile) } // LuksStatus returns encryption status of a provided device. -func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) { +func LuksStatus(mapperFile string) (string, string, error) { return execCryptsetupCommand(nil, "status", mapperFile) } -func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) { +func execCryptsetupCommand(stdin *string, args ...string) (string, string, error) { var ( program = "cryptsetup" cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable. @@ -74,11 +74,14 @@ func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte if stdin != nil { cmd.Stdin = strings.NewReader(*stdin) } + err := cmd.Run() + stdout := stdoutBuf.String() + stderr := stderrBuf.String() - if err := cmd.Run(); err != nil { - return stdoutBuf.Bytes(), stderrBuf.Bytes(), fmt.Errorf("an error (%v)"+ + if err != nil { + return stdout, stderr, fmt.Errorf("an error (%v)"+ " occurred while running %s args: %v", err, program, sanitizedArgs) } - return stdoutBuf.Bytes(), nil, nil + return stdout, stderr, err }