Allow parallel encryption, reencryption and decryption operations

jbaublitz · jbaublitz · commit 97410b3fef9f · 2026-01-28T14:51:44.000-05:00
diff --git a/src/engine/strat_engine/cmd.rs b/src/engine/strat_engine/cmd.rs
@@ -111,7 +111,6 @@ const CLEVIS_EXEC_NAMES: &[&str] = &[
     CLEVIS_REGEN,
     JOSE,
     JQ,
-    CRYPTSETUP,
     CURL,
     TPM2_CREATEPRIMARY,
     TPM2_UNSEAL,
@@ -132,6 +131,7 @@ static EXECUTABLES: LazyLock<HashMap<String, Option<PathBuf>>> = LazyLock::new(|
             THIN_METADATA_SIZE.to_string(),
             find_executable(THIN_METADATA_SIZE),
         ),
+        (CRYPTSETUP.to_string(), find_executable(CRYPTSETUP)),
     ]
     .iter()
     .cloned()
@@ -575,3 +575,38 @@ pub fn thin_metadata_size(
         )))
     }
 }
+
+pub fn run_encrypt(path: &Path) -> StratisResult<()> {
+    get_persistent_keyring()?;
+    let mut cmd = Command::new(CRYPTSETUP);
+    cmd.arg("reencrypt")
+        .arg("--encrypt")
+        .arg("--resume-only")
+        .arg("--token-only")
+        .arg(path);
+
+    execute_cmd(&mut cmd)
+}
+
+pub fn run_reencrypt(path: &Path) -> StratisResult<()> {
+    get_persistent_keyring()?;
+    let mut cmd = Command::new(CRYPTSETUP);
+    cmd.arg("reencrypt")
+        .arg("--resume-only")
+        .arg("--token-only")
+        .arg(path);
+
+    execute_cmd(&mut cmd)
+}
+
+pub fn run_decrypt(path: &Path) -> StratisResult<()> {
+    get_persistent_keyring()?;
+    let mut cmd = Command::new(CRYPTSETUP);
+    cmd.arg("reencrypt")
+        .arg("--decrypt")
+        .arg("--resume-only")
+        .arg("--token-only")
+        .arg(path);
+
+    execute_cmd(&mut cmd)
+}
diff --git a/src/engine/strat_engine/crypt/handle/v2.rs b/src/engine/strat_engine/crypt/handle/v2.rs
@@ -35,7 +35,9 @@ use crate::{
         engine::MAX_STRATIS_PASS_SIZE,
         strat_engine::{
             backstore::{backstore::v2, get_devno_from_path, get_logical_sector_size},
-            cmd::{clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind},
+            cmd::{
+                clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind, run_decrypt, run_encrypt,
+            },
             crypt::{
                 consts::{
                     DEFAULT_CRYPT_DATA_OFFSET_V2, DEFAULT_CRYPT_KEYSLOTS_SIZE,
@@ -818,38 +820,43 @@ impl CryptHandle {
         sector_size: u32,
         key_info: (u32, SizedKeyMemory),
     ) -> StratisResult<()> {
-        let mut device = acquire_crypt_device(unencrypted_path)?;
-        let activation_name = &format_crypt_backstore_name(&pool_uuid).to_string();
-        let (keyslot, key) = key_info;
-        device.reencrypt_handle().reencrypt_init_by_passphrase(
-            Some(activation_name),
-            key.as_ref(),
-            None,
-            Some(keyslot),
-            Some(("aes", "xts-plain64")),
-            CryptParamsReencrypt {
-                mode: CryptReencryptModeInfo::Encrypt,
-                direction: CryptReencryptDirectionInfo::Forward,
-                resilience: "checksum".to_string(),
-                hash: "sha256".to_string(),
-                data_shift: 0,
-                max_hotzone_size: 0,
-                device_size: 0,
-                luks2: Some(CryptParamsLuks2 {
-                    data_alignment: 0,
-                    data_device: None,
-                    integrity: None,
-                    integrity_params: None,
-                    pbkdf: None,
-                    label: None,
-                    sector_size,
-                    subsystem: None,
-                }),
-                flags: CryptReencrypt::RESUME_ONLY,
-            },
-        )?;
+        {
+            let mut device = acquire_crypt_device(unencrypted_path)?;
+            let activation_name = &format_crypt_backstore_name(&pool_uuid).to_string();
+            let (keyslot, key) = key_info;
+            device.reencrypt_handle().reencrypt_init_by_passphrase(
+                Some(activation_name),
+                key.as_ref(),
+                None,
+                Some(keyslot),
+                Some(("aes", "xts-plain64")),
+                CryptParamsReencrypt {
+                    mode: CryptReencryptModeInfo::Encrypt,
+                    direction: CryptReencryptDirectionInfo::Forward,
+                    resilience: "checksum".to_string(),
+                    hash: "sha256".to_string(),
+                    data_shift: 0,
+                    max_hotzone_size: 0,
+                    device_size: 0,
+                    luks2: Some(CryptParamsLuks2 {
+                        data_alignment: 0,
+                        data_device: None,
+                        integrity: None,
+                        integrity_params: None,
+                        pbkdf: None,
+                        label: None,
+                        sector_size,
+                        subsystem: None,
+                    }),
+                    flags: CryptReencrypt::RESUME_ONLY,
+                },
+            )?;
+        }
+
         info!("Starting encryption operation on pool with UUID {pool_uuid}; may take a while");
-        device.reencrypt_handle().reencrypt2::<()>(None, None)?;
+        // The corresponding libcryptsetup call is device.reencrypt_handle().reencrypt2::<()>(None, None)?;
+        run_encrypt(unencrypted_path)?;
+
         Ok(())
     }
 
@@ -894,31 +901,35 @@ impl CryptHandle {
 
     /// Decrypt the crypt device for an encrypted pool.
     pub fn decrypt(&self, pool_uuid: PoolUuid) -> StratisResult<()> {
-        let activation_name = format_crypt_backstore_name(&pool_uuid);
-        let mut device = acquire_crypt_device(self.luks2_device_path())?;
-        let (keyslot, key) = get_passphrase(&mut device, self.encryption_info())?
-            .either(|(keyslot, _, key)| (keyslot, key), |tup| tup);
+        {
+            let activation_name = format_crypt_backstore_name(&pool_uuid);
+            let mut device = acquire_crypt_device(self.luks2_device_path())?;
+            let (keyslot, key) = get_passphrase(&mut device, self.encryption_info())?
+                .either(|(keyslot, _, key)| (keyslot, key), |tup| tup);
+
+            device.reencrypt_handle().reencrypt_init_by_passphrase(
+                Some(&activation_name.to_string()),
+                key.as_ref(),
+                Some(keyslot),
+                None,
+                None,
+                CryptParamsReencrypt {
+                    mode: CryptReencryptModeInfo::Decrypt,
+                    direction: CryptReencryptDirectionInfo::Forward,
+                    resilience: "checksum".to_string(),
+                    hash: "sha256".to_string(),
+                    data_shift: 0,
+                    max_hotzone_size: 0,
+                    device_size: 0,
+                    luks2: None,
+                    flags: CryptReencrypt::empty(),
+                },
+            )?;
+        }
 
-        device.reencrypt_handle().reencrypt_init_by_passphrase(
-            Some(&activation_name.to_string()),
-            key.as_ref(),
-            Some(keyslot),
-            None,
-            None,
-            CryptParamsReencrypt {
-                mode: CryptReencryptModeInfo::Decrypt,
-                direction: CryptReencryptDirectionInfo::Forward,
-                resilience: "checksum".to_string(),
-                hash: "sha256".to_string(),
-                data_shift: 0,
-                max_hotzone_size: 0,
-                device_size: 0,
-                luks2: None,
-                flags: CryptReencrypt::empty(),
-            },
-        )?;
         info!("Starting decryption operation on pool with UUID {pool_uuid}; may take a while");
-        device.reencrypt_handle().reencrypt2::<()>(None, None)?;
+        // the corresponding libcryptsetup call is device.reencrypt_handle().reencrypt2::<()>(None, None)?;
+        run_decrypt(self.luks2_device_path())?;
         Ok(())
     }
 
diff --git a/src/engine/strat_engine/crypt/shared.rs b/src/engine/strat_engine/crypt/shared.rs
@@ -1101,6 +1101,33 @@ pub fn handle_setup_reencrypt(
     luks2_path: &Path,
     encryption_info: &EncryptionInfo,
 ) -> StratisResult<(u32, SizedKeyMemory, u32)> {
+    fn set_up_reencryption_token(
+        device: &mut CryptDevice,
+        new_keyslot: u32,
+        ts: u32,
+        mut token_contents: Value,
+    ) -> StratisResult<()> {
+        if let Some(obj) = token_contents.as_object_mut() {
+            let tokens = match obj.remove(TOKEN_KEYSLOTS_KEY) {
+                Some(Value::Array(mut v)) => {
+                    v.push(Value::String(new_keyslot.to_string()));
+                    Value::Array(v)
+                }
+                Some(_) | None => {
+                    return Err(StratisError::Msg(format!(
+                        "Could not find appropriate formatted value for {TOKEN_KEYSLOTS_KEY}"
+                    )));
+                }
+            };
+            obj.insert(TOKEN_KEYSLOTS_KEY.to_string(), tokens);
+        }
+        device
+            .token_handle()
+            .json_set(TokenInput::ReplaceToken(ts, &token_contents))?;
+
+        Ok(())
+    }
+
     let mut device = acquire_crypt_device(luks2_path)?;
 
     let mut keys = get_all_passphrases(&mut device, encryption_info)?;
@@ -1113,7 +1140,7 @@ pub fn handle_setup_reencrypt(
     let (single_ts, single_key) = keys
         .pop()
         .ok_or_else(|| StratisError::Msg("No unlock methods found".to_string()))?;
-    let mut single_token_contents = device.token_handle().json_get(single_ts)?;
+    let single_token_contents = device.token_handle().json_get(single_ts)?;
     let single_keyslot = get_keyslot_number(&mut device, single_ts)?.ok_or_else(|| {
         StratisError::Msg(format!(
             "Could not find keyslot associated with token slot {single_ts}"
@@ -1126,16 +1153,13 @@ pub fn handle_setup_reencrypt(
         single_key.as_ref(),
         CryptVolumeKey::NO_SEGMENT,
     )?;
-    if let Some(obj) = single_token_contents.as_object_mut() {
-        obj.remove(TOKEN_KEYSLOTS_KEY);
-        obj.insert(
-            TOKEN_KEYSLOTS_KEY.to_string(),
-            Value::Array(vec![Value::String(single_new_keyslot.to_string())]),
-        );
-    }
-    device
-        .token_handle()
-        .json_set(TokenInput::ReplaceToken(single_ts, &single_token_contents))?;
+
+    set_up_reencryption_token(
+        &mut device,
+        single_new_keyslot,
+        single_ts,
+        single_token_contents,
+    )?;
 
     let mut new_vk = SafeMemHandle::alloc(STRATIS_MEK_SIZE)?;
     device.volume_key_handle().get(
@@ -1145,24 +1169,15 @@ pub fn handle_setup_reencrypt(
     )?;
 
     for (ts, key) in other_keys {
-        let mut token_contents = device.token_handle().json_get(ts)?;
+        let token_contents = device.token_handle().json_get(ts)?;
 
         let new_keyslot = device.keyslot_handle().add_by_key(
             None,
             Some(Either::Left(new_vk.as_ref())),
             key.as_ref(),
             CryptVolumeKey::NO_SEGMENT | CryptVolumeKey::DIGEST_REUSE,
         )?;
-        if let Some(obj) = token_contents.as_object_mut() {
-            obj.remove(TOKEN_KEYSLOTS_KEY);
-            obj.insert(
-                TOKEN_KEYSLOTS_KEY.to_string(),
-                Value::Array(vec![Value::String(new_keyslot.to_string())]),
-            );
-        }
-        device
-            .token_handle()
-            .json_set(TokenInput::ReplaceToken(ts, &token_contents))?;
+        set_up_reencryption_token(&mut device, new_keyslot, ts, token_contents)?;
     }
 
     Ok((single_keyslot, single_key, single_new_keyslot))
@@ -1179,41 +1194,44 @@ pub fn handle_do_reencrypt(
     single_key: SizedKeyMemory,
     single_new_keyslot: u32,
 ) -> StratisResult<()> {
-    let mut device = acquire_crypt_device(luks2_path)?;
-
-    let cipher = device.status_handle().get_cipher()?;
-    let cipher_mode = device.status_handle().get_cipher_mode()?;
-    let sector_size = convert_int!(get_sector_size(Some(&mut device)), i32, u32)?;
-    device.reencrypt_handle().reencrypt_init_by_passphrase(
-        Some(device_name),
-        single_key.as_ref(),
-        Some(single_keyslot),
-        Some(single_new_keyslot),
-        Some((&cipher, &cipher_mode)),
-        CryptParamsReencrypt {
-            mode: CryptReencryptModeInfo::Reencrypt,
-            direction: CryptReencryptDirectionInfo::Forward,
-            resilience: "checksum".to_string(),
-            hash: "sha256".to_string(),
-            data_shift: 0,
-            max_hotzone_size: 0,
-            device_size: 0,
-            luks2: Some(CryptParamsLuks2 {
-                data_alignment: 0,
-                data_device: None,
-                integrity: None,
-                integrity_params: None,
-                pbkdf: None,
-                label: None,
-                sector_size,
-                subsystem: None,
-            }),
-            flags: CryptReencrypt::empty(),
-        },
-    )?;
+    {
+        let mut device = acquire_crypt_device(luks2_path)?;
+
+        let cipher = device.status_handle().get_cipher()?;
+        let cipher_mode = device.status_handle().get_cipher_mode()?;
+        let sector_size = convert_int!(get_sector_size(Some(&mut device)), i32, u32)?;
+        device.reencrypt_handle().reencrypt_init_by_passphrase(
+            Some(device_name),
+            single_key.as_ref(),
+            Some(single_keyslot),
+            Some(single_new_keyslot),
+            Some((&cipher, &cipher_mode)),
+            CryptParamsReencrypt {
+                mode: CryptReencryptModeInfo::Reencrypt,
+                direction: CryptReencryptDirectionInfo::Forward,
+                resilience: "checksum".to_string(),
+                hash: "sha256".to_string(),
+                data_shift: 0,
+                max_hotzone_size: 0,
+                device_size: 0,
+                luks2: Some(CryptParamsLuks2 {
+                    data_alignment: 0,
+                    data_device: None,
+                    integrity: None,
+                    integrity_params: None,
+                    pbkdf: None,
+                    label: None,
+                    sector_size,
+                    subsystem: None,
+                }),
+                flags: CryptReencrypt::empty(),
+            },
+        )?;
+    }
 
     info!("Starting reencryption operation on pool with UUID {pool_uuid}; may take a while");
-    device.reencrypt_handle().reencrypt2::<()>(None, None)?;
+    // The corresponding libcryptsetup call is device.reencrypt_handle().reencrypt2::<()>(None, None)?;
+    cmd::run_reencrypt(luks2_path)?;
 
     Ok(())
 }
