Describe the Bug

When attempting to enable Volume Security/LUKS on a FIPS enabled system (SLE-Micro 6.1) kernel fips mode is preventing longhorn from encrypting the volume with an error as follows:

Failed due to error: failed to process sync file: failed to open clone source file: failed to setup the crypto device with the file /data/tmp/vmi-0ea83e45-a64e-4b44-a692-33d43695daea-79655ac7.tmp during cloning: failed to encrypt device /dev/loop6 with LUKS: failed to execute: /usr/bin/nsenter [nsenter --mount=/host/proc/3423961/ns/mnt --ipc=/host/proc/3423961/ns/ipc cryptsetup -q luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --key-size 512 --pbkdf pbkdf2 /dev/loop6 -d -], output , stderr Not compatible PBKDF2 options (using hash algorithm sha512).: exit status 1

This is because the following flag is being enforced:

--pbkdf-force-iterations <count>

Longhorn Volume security does not expose this flag:

https://github.com/longhorn/go-common-libs/blob/main/ns/crypto.go#L27-L38

Therefore volume encryption is not possible.

To Reproduce

On a FIPS enabled system, attempt to use Longhorn Volume Security.

To prove it on the command line the following tests can be performed (same encryption options as longhorn is attempting):

Create a test image:

# dd if=/dev/zero of=/tmp/fips_test.img bs=1M count=500
500+0 records in
500+0 records out
524288000 bytes (524 MB, 500 MiB) copied, 0.12113 s, 4.3 GB/s

Attempt to encrypt it:

# cryptsetup luksFormat /tmp/fips_test.img   --type luks2   --cipher aes-xts-plain64   --hash sha512   --key-size 512   --pbkdf pbkdf2

WARNING!
========
This will overwrite data on /tmp/fips_test.img irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /tmp/fips_test.img: 
Verify passphrase: 
Not compatible PBKDF2 options (using hash algorithm sha512).

Encrypt again, this time with force iterations set:

# cryptsetup luksFormat /tmp/fips_test.img \
>   --type luks2 \
>   --cipher aes-xts-plain64 \
>   --key-size 256 \
>   --hash sha512 \
>   --pbkdf pbkdf2 \
>   --pbkdf-force-iterations 200000 \
>   --pbkdf-memory 0

WARNING!
========
This will overwrite data on /tmp/fips_test.img irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /tmp/fips_test.img: 
Verify passphrase:
<success>

Expected Behavior

Would like Longhorn to be able to encrypt volumes on FIPS enabled systems
Please expose the --pbkdf-force-iterations flag to longhorn volume security.

Support Bundle for Troubleshooting

N/A

Environment

• Longhorn version: v1.10.2
• Impacted volume (PV): Any attempted encrypted volume
• Installation method (e.g. Rancher Catalog App/Helm/Kubectl): helm
• Kubernetes distro (e.g. RKE/K3s/EKS/OpenShift) and version: rke2
  • Number of control plane nodes in the cluster: 3
  • Number of worker nodes in the cluster: 1
• Node config
  • OS type and version: SLE-Micro 6.1
  • Kernel version: 6.4.0
  • CPU per node: 20
  • Memory per node: 96gb
  • Disk type (e.g. SSD/NVMe/HDD): NVMe
  • Network bandwidth between the nodes (Gbps): 20GB/s
• Underlying Infrastructure (e.g. on AWS/GCE, EKS/GKE, VMWare/KVM, Baremetal): Bare Metal
• Number of Longhorn volumes in the cluster: 20

Additional context

No response

Workaround and Mitigation

I was able to create a helper script and replace the cryptsetup binary and append the --pbkdf-force-iterations flag and successfully encrypt volumes.