Skip to content

fix: handle encryption keys with newline in AddKey #145

Merged
talos-bot merged 1 commit intosiderolabs:v2from
smira:fix/raw-key-handling
Feb 19, 2026
Merged

fix: handle encryption keys with newline in AddKey #145
talos-bot merged 1 commit intosiderolabs:v2from
smira:fix/raw-key-handling

Conversation

@smira
Copy link
Copy Markdown
Member

@smira smira commented Feb 18, 2026

Without proper flags to cryptsetup, it stops reading the key after the first \n which cuts the encryption key (if it contains that character), rendering the key unusable.

I dropped the SetKey method, as it doesn't seem to be used in Talos, and I can't make cryptsetup handle \n correctly there.

@github-project-automation github-project-automation bot moved this to To Do in Planning Feb 18, 2026
@talos-bot talos-bot moved this from To Do to In Review in Planning Feb 18, 2026
@smira smira force-pushed the fix/raw-key-handling branch from 85de8ad to fdd8449 Compare February 18, 2026 17:32
@smira smira changed the title fix: handling of encryption keys in AddKey fix: handle encryption keys with newline in AddKey Feb 18, 2026
smira
smira commented Feb 18, 2026
View reviewed changes
encryption/luks/luks.go
"--key-file=-",
fmt.Sprintf("--keyfile-size=%d", keyfileLen),
"--new-keyfile=-",
fmt.Sprintf("--new-keyfile-size=%d", len(newKey.Value)),
Copy link
Copy Markdown
Member Author

@smira smira Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the actual fix (passing the length explicitly stops cryptsetup from trying to look for \n)

@smira smira requested review from Unix4ever and Copilot February 18, 2026 17:35
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes LUKS key handling when keys contain newline (\n) characters by ensuring cryptsetup reads the full key from stdin, and updates tests to exercise newline/binary key rotation flows.

Changes:

  • Update luksAddKey invocation to pass both old/new keys via stdin with explicit --keyfile-size / --new-keyfile-size.
  • Add/expand LUKS tests to include newline-containing keys and multi-step key rotation.
  • Remove SetKey from the exported encryption.Provider interface and drop the LUKS implementation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File Description
encryption/provider.go Removes SetKey from the public Provider interface.
encryption/luks/luks.go Adds explicit keyfile sizing flags for AddKey, CheckKey, and RemoveKey cryptsetup calls.
encryption/luks/luks_test.go Updates tests to use newline-containing keys and adds a key-rotation test.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@smira smira force-pushed the fix/raw-key-handling branch from fdd8449 to 0baa86a Compare February 18, 2026 17:44
@smira
fix: handle encryption keys with newline in AddKey
728ca1c 
Without proper flags to `cryptsetup`, it stops reading the key after the
first `\n` which cuts the encryption key (if it contains that
character), rendering the key unusable.

I dropped the `SetKey` method, as it doesn't seem to be used in Talos,
and I can't make `cryptsetup` handle `\n` correctly there.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira force-pushed the fix/raw-key-handling branch from 0baa86a to 728ca1c Compare February 18, 2026 17:44
@github-project-automation github-project-automation bot moved this from In Review to Approved in Planning Feb 19, 2026
@smira
Copy link
Copy Markdown
Member Author

smira commented Feb 19, 2026

/m

@talos-bot talos-bot merged commit 728ca1c into siderolabs:v2 Feb 19, 2026
15 checks passed
@github-project-automation github-project-automation bot moved this from Approved to Done in Planning Feb 19, 2026
smira added a commit to smira/talos that referenced this pull request Feb 19, 2026
@smira
fix: handle raw encryption keys with \n properly
7a5eb50 
This pulls in a fix siderolabs/go-blockdevice#145

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira mentioned this pull request Feb 19, 2026
Merged
smira added a commit to smira/talos that referenced this pull request Feb 19, 2026
@smira
fix: handle raw encryption keys with \n properly
25c0bce 
This pulls in a fix siderolabs/go-blockdevice#145

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this pull request Feb 19, 2026
@smira
fix: handle raw encryption keys with \n properly
9e04ae1 
This pulls in a fix siderolabs/go-blockdevice#145

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this pull request Feb 19, 2026
@smira
fix: handle raw encryption keys with \n properly
f018fbe 
This pulls in a fix siderolabs/go-blockdevice#145

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this pull request Mar 6, 2026
@smira
fix: handle raw encryption keys with \n properly
d935420 
This pulls in a fix siderolabs/go-blockdevice#145

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit f018fbe)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@frezbo frezbo frezbo approved these changes

@Unix4ever Unix4ever Awaiting requested review from Unix4ever

Assignees

No one assigned

Labels

None yet

Projects

Planning
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@smira @frezbo @talos-bot