path: root/docs/LUKS2-locking.txt

LUKS2 device locking overview
=============================

Why
~~~

LUKS2 format keeps two identical copies of metadata stored consecutively
at the head of the metadata device (file or bdev). The metadata
area (both copies) must be updated in a single atomic operation to avoid
header corruption during concurrent write.

While with LUKS1 users may have clear knowledge of when a LUKS header is
being updated (written to) or when it's being read solely the need for
locking with legacy format was not so obvious as it is with the LUKSv2 format.

With LUKS2 the boundary between read-only and read-write is blurry and what
used to be the exclusively read-only operation (i.e., cryptsetup open command) may
easily become read-update operation silently without the user's knowledge.
A major feature of the LUKS2 format is resilience against accidental
corruption of metadata (i.e., partial header overwrite by parted or cfdisk
while creating a partition on a mistaken block device).
Such header corruption is detected early on the header read and the auto-recovery
procedure takes place (the corrupted header with checksum mismatch is being
replaced by the secondary one if that one is intact).
On current Linux systems header load operation may be triggered without the user
direct intervention for example by an udev rule or from a systemd service.
Such a clash of header read and auto-recovery procedure could have severe
consequences with the worst case of having a LUKS2 device inaccessible or being
broken beyond repair.

The whole locking of LUKSv2 device headers split into two categories depending
what backend the header is stored on:

I) block device
~~~~~~~~~~~~~~~

We perform flock() on file descriptors of files stored in a private
directory (by default /run/lock/cryptsetup). The file name is derived
from major:minor couple of the affected block device. Note we recommend
that access to the private locking directory is supposed to be limited
to the superuser only. For this method to work the distribution needs
to install the locking directory with appropriate access rights.

II) regular files
~~~~~~~~~~~~~~~~~

A first notable difference between headers stored in a file
vs. headers stored in a block device is that headers in a file may be
manipulated by the regular user, unlike headers on block devices. Therefore
we perform flock() protection on file with the luks2 header directly.

Limitations
~~~~~~~~~~~

a) In general, the locking model provides serialization of I/Os targeting
the header only. It means the header is always written or read at once
while locking is enabled.
We do not suppress any other negative effect that two or more concurrent
writers of the same header may cause.

b) The locking is not cluster-aware in any way.

Additional LUKS2 locks
======================

LUKS2 reencryption device lock
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Device in LUKS2 reencryption is protected by an exclusive lock placed in the default
locking directory. The lock's purpose is to exclude multiple processes from
performing reencryption on the same device (identified by LUKS uuid). The lock
is taken no matter the LUKS2 reencryption mode (online or offline).

LUKS2 memory hard global lock
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An optional global lock that makes libcryptsetup serialize memory hard
pbkdf function when deriving a key encryption key from passphrase on unlocking
LUKS2 keyslot. The lock has to be enabled via the CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF
flag. The lock is placed in the default locking directory.

LUKS2 OPAL lock
~~~~~~~~~~~~~~~

Exclusive per device lock taken when manipulating LUKS2 device configured for use with
SED OPAL2 locking range.

Lock ordering
=============

To avoid a deadlock following rules must apply:

- LUKS2 reencrytpion lock must be taken before LUKS2 OPAL lock.

- LUKS2 OPAL lock must be taken before LUKS2 metadata lock.

- LUKS2 memory hard global lock can not be used with other locks.