rm: linux-disk-encryption: document re-encryption

[ldts]

Document LUKS2 re-encryption and PKCS#11 emulation.

Readiness

• Merge (pending reviews)
• Merge after date or event
• Draft

Overview

Why merge this PR? What does it solve?

Checklist

Optional. Add a 'x' to steps taken.
You can fill this out after opening the PR. "Did I..."

• Run spelling and grammar check, preferably with linter.
• Avoid changing any header associated with a link/reference.
• Step through instructions (or ask someone to do so).
• Review for wordiness
• Match tone and style of page/section.
• Run make linkcheck.
• View HTML in a browser to check rendering.
• Use semantic newlines.
• follow best practices for commits.
  • Descriptive title written in the imperative.
  • Include brief overview of QA steps taken.
  • Mention any related issues numbers.
  • End message with sign off/DCO line (-s, --signoff).
  • Sign commit with your gpg key (-S, --gpg-sign).
  • Squash commits if needed.
• Request PR review by a technical writer and at least one peer.

Comments

Any thing else that a maintainer/reviewer should know.
This could include potential issues, rational for approach, etc.

[doanac]

Docs for 182b37f are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2451/docs/artifacts/html/index.html

[doanac]

Docs for fb9b0c6 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2452/docs/artifacts/html/index.html

[doanac]

Docs for b21768f are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2453/docs/artifacts/html/index.html

[doanac]

Docs for aa0289b are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2454/docs/artifacts/html/index.html

[angolini]

As always, it's a pleasure to read your texts! I only made a few double-checking and tiny suggestions, but the text is excellent!

[doanac]

Docs for 9feb2c3 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2458/docs/artifacts/html/index.html

[doanac]

Docs for c84e5d0 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2460/docs/artifacts/html/index.html

[doanac]

Docs for 4430eaf are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2464/docs/artifacts/html/index.html

[ldts]

As always, it's a pleasure to read your texts! I only made a few double-checking and tiny suggestions, but the text is excellent!

sorry Diane, this gave me extra motivation to try and do a better job and I reorganized things a bit more. Maybe you can have a look? it is your fault for the encouragement :)

[doanac]

Docs for d375aed are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2465/docs/artifacts/html/index.html

[angolini]

As always, it's a pleasure to read your texts! I only made a few double-checking and tiny suggestions, but the text is excellent!

sorry Diane, this gave me extra motivation to try and do a better job and I reorganized things a bit more. Maybe you can have a look? it is your fault for the encouragement :)

I will review again and "resolve" everything I think is resolved from my pov ;) I'm glad you got motivated <3

[angolini]

Great changes! it's a looks great to me ;)

[mike-scott]

@ldts Are we 100% sure this is true? We have clients that are using re-encryption and it picks up where it left off and does not block the boot in their case. Did something change here?

[ldts]

yes 100%.
I am not sure what configuration they might be running but in our case as soon as we enroll the TPM/PKCS11 tokens, we remove the passphrase and initiate the re-encryption.

If the volume is closed without having completed re-encryption, it just cant be opened again. It is easy to prototype locally on any machine (create a file of ~60MB, create an ext4 filesystem, and encrypt it with luks).

but tell me more about the configuration of those clients so I can see how they differ...

[ldts]

um, are you sure about what your clients are reporting??

see this:
https://github.com/foundriesio/meta-lmp/blob/main/meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/cryptfs#L109

with the current code in the baseline, if online reencryption didnt finish and the board reboots we are going to block initramfs until it completes (resume is a blocking call)

having said that, this segment of code seems to succeed at opening ? which is kind of weird...

[kprosise]

Left some suggestions, but it LGTM!

[doanac]

Docs for efb04d2 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2467/docs/artifacts/html/index.html

[doanac]

Docs for 79977a1 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2468/docs/artifacts/html/index.html

[doanac]

Docs for 38c5b50 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2469/docs/artifacts/html/index.html

[doanac]

Docs for 3a71ee8 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2470/docs/artifacts/html/index.html

[doanac]

Docs for 285b686 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2471/docs/artifacts/html/index.html

[kprosise]

@ldts whenever you are ready for this to be merged, squash the commits and give me the word!

[ldts]

@ldts whenever you are ready for this to be merged, squash the commits and give me the word!

thanks @kprosise just waiting for the final functional review

[doanac]

Docs for aa10607 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2520/docs/artifacts/html/index.html

[ldts]

#639