Azure · pankajosh · Nov 29, 2023 · Nov 30, 2023 · Dec 9, 2023 · Dec 9, 2023
diff --git a/VMEncryption/main/BekUtil.py b/VMEncryption/main/BekUtil.py
@@ -15,7 +15,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
+import sys
+import os
 from Common import CommonVariables
 from IMDSUtil import IMDSStoredResults
 from BekUtilVolumeImpl import BekUtilVolumeImpl
@@ -43,6 +44,19 @@ def __init__(self, disk_util, logger, encryption_environment=None):
     def generate_passphrase(self):
         return self.bekUtilImpl.generate_passphrase()
 
+    def store_bek_passphrase_file_name(self,encryption_config, passphrase,key_file_name):
+        '''this function is used to store passphrase to specific file name'''
+        #update new passphrase to key_file_path.
+        key_file_dir = os.path.dirname(self.get_bek_passphrase_file(encryption_config))
+        key_file_path = os.path.join(key_file_dir,key_file_name)
+        if sys.version_info[0] < 3:
+            if isinstance(passphrase, str):
+                passphrase = passphrase.decode('utf-8')
+        with open(key_file_path, 'wb') as f:
+            f.write(passphrase)
+        #making sure the permissions are read only to root user.
+        os.chmod(key_file_path,0o400)
+
     def store_bek_passphrase(self, encryption_config, passphrase):
         return self.bekUtilImpl.store_bek_passphrase(encryption_config,passphrase)
 

diff --git a/VMEncryption/main/Common.py b/VMEncryption/main/Common.py
@@ -60,9 +60,17 @@ class CommonVariables:
     """
     CVM LUKS2 header token
     """
+    #this token id is used to store Primary ADE (encryption setting + wrapped passphrase) token.
     cvm_ade_vm_encryption_token_id = 5
+    #this token id is used to store backup of token id 5, during KEK rotation.
+    cvm_ade_vm_encryption_backup_token_id = 6
     ADEEncryptionVersionInLuksToken_1_0='1.0'
-    PassphraseNameValue = 'LUKSPasswordProtector'
+    PassphraseNameValueProtected = 'LUKSPasswordProtector'
+    #this token type is used to store Primary ADE token. Type id: 5
+    AzureDiskEncryptionToken = 'Azure_Disk_Encryption'
+    #this token type is used to store backup ADE token. Type id: 6
+    #this token used for recovery to token 5 in case of reboot/interruption happened during KEK rotation.
+    AzureDiskEncryptionBackUpToken='Azure_Disk_Encryption_BackUp'
     """
     IMDS IP:
     """

diff --git a/VMEncryption/main/CryptMountConfigUtil.py b/VMEncryption/main/CryptMountConfigUtil.py
@@ -142,7 +142,7 @@ def _restore_backup_crypttab_info(self,crypt_item,passphrase_file):
             return False
 
         if not os.path.exists(azure_crypt_mount_backup_location) and not os.path.exists(crypttab_backup_location):
-            self.logger.log(msg=("MountPoint info not found for" + device_item_real_path), level=CommonVariables.ErrorLevel)
+            self.logger.log(msg=("MountPoint info not found for" + crypt_item.dev_path), level=CommonVariables.ErrorLevel)
             # Not sure when this happens..
             # in this case also, just add an entry to the azure_crypt_mount without a mount point.
             self.add_crypt_item(crypt_item)
@@ -265,19 +265,21 @@ def device_unlock_using_luks2_header(self):
         threads = []
         lock = threading.Lock()
         for device_item in device_items:
-            if device_item.file_system == "crypto_LUKS": 
+            if device_item.file_system == "crypto_LUKS":
+                 #restore LUKS2 token using BackUp.
+                 self.disk_util.restore_luks2_token(device_name=device_item.name)
                  device_item_path = self.disk_util.get_device_path(device_item.name)
                  azure_item_path = azure_name_table[device_item_path] if device_item_path in azure_name_table else device_item_path
                  thread = threading.Thread(target=self._device_unlock_using_luks2_header,args=(device_item.name,device_item_path,azure_item_path,lock))
                  threads.append(thread)
                  thread.start()
         for thread in threads:
-            thread.join()       
+            thread.join()
         self.logger.log("device_unlock_using_luks2_header End")
 
     def consolidate_azure_crypt_mount(self, passphrase_file):
         """
-        Reads the backup files from block devices that have a LUKS header and adds it to the cenral azure_crypt_mount file
+        Reads the backup files from block devices that have a LUKS2 header and adds it to the central azure_crypt_mount file
         """
         self.logger.log("Consolidating azure_crypt_mount")