this post was submitted on 19 Oct 2023
59 points (92.8% liked)

Linux

47970 readers
1291 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hi everybody, bit of a warning here: The recovery key generated during the installation of Ubuntu 23.10 (if you select tpm-backed fde) cannot be used to unlock the disk outside of boot, as in any 'cryptsetup' command and so on will not accept the recovery key. unlocking when accessed from different system does not work etc.

You can use it to unlock the disk while booting if your tpm somehow fails, but ONLY in that specific situation.

I kind of purposefully broke my tpm keys to see if it could be restored with 23.10 and ended up having to reinstal, as I ended up having to enter the recovery key at boot every time and no way of adding additional unlock options to the volume, as cryptsetup would not accept the recovery key as passphrase.

This bug could be very bad for new users.

See this bug report: https://bugs.launchpad.net/ubuntu-desktop-installer/+bug/2039741

all 16 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 1 year ago (1 children)

Yet another reason why I wouldn't put anything important on a tpm encrypted volume 😹 I just don't trust it

[–] [email protected] 11 points 1 year ago* (last edited 11 months ago) (2 children)

[This comment has been deleted by an automated system]

[–] [email protected] 3 points 1 year ago (1 children)

That's true, but the issue is that cryptsetup does not accept the recovery key as a passphrase for the disk. Once the tpm gets reset, the user has to always enter the recovery key and cannot implement a new key to luks and the tpm.

[–] [email protected] 5 points 1 year ago* (last edited 11 months ago) (2 children)

[This comment has been deleted by an automated system]

[–] [email protected] 2 points 1 year ago

I wasn't blaming cryptsetup, my mistake if it came across as though I did.

Thank you for taking the time to look into a possible fix, I might just reinstall with tpm-backed fde again to see if this really works.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

@Skull giver -- I mentioned this above, but couldn't link it to you.

I like the code but the go run recover.go 2> key.text does not redirect the key to a file. It does not get input of the recovery key, so errors. Could you please add a few lines to write it directly to that file, instead of displaying it? (or output to both?)

As someone thought, what is displayed onscreen is jibberish, because console cannot display raw hex characters... I'm thinking the LUKS key in the keyslot is raw or hex.

As I now know, it is translated. And we can get the recovery key (hopefully) translated the other way around...

If I can just find the valid key value, and write it to a file, then I can help @inchbinjasokreativ to write it back to his TPM. I've already written a BASH script to do that, but am just missing that key-file. I have the problem replicated to a VM, so can test it on that first.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Yeah I’m hybrid Windows/Linux user, but many of my drives are Bitlocker encrypted. I need to install a bios update. To do so, it requires me to decrypt every bitlocker drive and not just the OS drive. Because the TPM keystore is based on the OS key store for each bitlocker drive. It’s frustrating, but it makes sense, so I’m all for additional security

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (1 children)

As you can see by my UserName, I am the person who filed that Bug as a danger to users... Specifically brought up by @ichbinsokreativ, me trying to help him...

Thank you Skull giver for the golang code, I had to debug your code, to get it to run, because of the forum transposing HTML char codes for some characters... Unfortunatley, displaying the result onto console displays 'jibberish', as you thought might happen. Console cannot display raw hex characters.

Redirecting the output as you posted doesn't work, as the script then doesn't get the input of the recovery key, so errors.

I have a request... I know a lot of languages, but GO isn't one of them. Please... Could you please add a few lines to write the result directly to a file called recovery.key? Then if raw or hex, it would get to a key-file... Then I can test if that is going to work to add additional keys to the LUKS containers, and to be able to help people re-enroll the TPM key.

If you could, they we would have a recovery work-around.

Yes. They did something similar for past ZFS encryptions i their canned installs, but used native ZFS encryption, with a locked encrytped keyfile stored within a LUKS container, that had to be unlocked and mounted before unlocking the ZFS pools. Sometimes I don't follow the logic behind some things.

It seems like they often add complication to what should be simpler.

[–] [email protected] 1 points 1 year ago (1 children)

Is it still possible to add an extra key (in another slot) to unlock it with cryptsetup? Adding this extra key might beat the purpose of using the TPM but if you choose a long random key and store it in a password manager that should still be pretty safe right?

[–] [email protected] 2 points 1 year ago

it's not, because to to so you need to enter a valid passphrase to cryptsetup, which the recovery key is NOT

[–] [email protected] 1 points 1 year ago (1 children)

Okay so I just read up on this. It's it true that TPM backed FDE only allows snaps?!?

Debs are completely unsupported?

[–] [email protected] 1 points 1 year ago

The ubuntu implementation is based on snap, but if you want to purge snapd (just install another distro at that point though), you can implement encryption as usual and add the tpm later on. Snap is only neccessary if you enable tpm-backed fde from setup.