Ceph » rbd

Create a clone encrypted differently from its parent:

$ rbd create --size 1G parent
$ rbd encryption format parent luks1 passphrase1
$ rbd snap create parent@snap
$ rbd snap protect parent@snap
$ rbd clone parent@snap clone
$ rbd encryption format clone luks2 passphrase2

Opening it requires passing two encryption specs, as expected:

$ sudo rbd device map -t nbd -o encryption-format=luks2,encryption-passphrase-file=passphrase2,encryption-format=luks1,encryption-passphrase-file=passphrase1 clone
/dev/nbd0

However opening the same clone under migration with the same command fails:

$ sudo rbd device unmap -t nbd clone
$ rbd migration prepare clone migr-clone
$ sudo rbd device map -t nbd -o encryption-format=luks2,encryption-passphrase-file=passphrase2,encryption-format=luks1,encryption-passphrase-file=passphrase1 migr-clone
2023-10-11T14:35:10.021-0400 7f29b6ffd700 -1 librbd::crypto::LoadRequest: 0x558cb50f9ee0 handle_load: failed to load encryption. image name: clone
rbd-nbd: failed to load encryption: (22) Invalid argument
rbd: rbd-nbd failed with error: /home/dis/src/ceph-b/build/bin/rbd-nbd: exit status: 1

Duplicating clone's encryption spec helps:

$ sudo rbd device map -t nbd -o encryption-format=luks2,encryption-passphrase-file=passphrase2,encryption-format=luks2,encryption-passphrase-file=passphrase2,encryption-format=luks1,encryption-passphrase-file=passphrase1 migr-clone
/dev/nbd0