[neon] [Bug 425213] New: encrypted root with separate boot automatically decrypted during system startup.

Tue, 11 Aug 2020 02:25:21 -0700 

https://bugs.kde.org/show_bug.cgi?id=425213

            Bug ID: 425213
           Summary: encrypted root with separate boot automatically
                    decrypted during system startup.
           Product: neon
           Version: unspecified
          Platform: Neon Packages
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: Live/Install images
          Assignee: neon-b...@kde.org
          Reporter: jrfo...@xs4all.nl
                CC: j...@jriddell.org, neon-b...@kde.org, sit...@kde.org
  Target Milestone: ---

Created attachment 130779
  --> https://bugs.kde.org/attachment.cgi?id=130779&action=edit
screenshots during install

SUMMARY
Calamares unlocks / with a key file, even if /boot is intentionally
unencrypted. Not sure if this is a bug in Calamares or the setup that KDE Neon
uses. I think the error is in the expectation that /boot is encrypted as well,
in which case a key file for / is useful. But when /boot is unencrypted, this
is an rather severe error.

STEPS TO REPRODUCE
Install KDE Neon with the following setup:
1. Select "Manual partitioning"
2. Select "New Partition Table" and choose MBR
3. Create new partition of size 1024 MiB, Primary, File System Ext4, Mount
Point /boot.
4. Create new partition of remaining size, Primary, File System btrfs, Encrypt,
Mount Point /.
5. Next
6. Read message about GPT
7. Read message about separate boot with encrypted root.
8. Fill out Users form. Do not login automatically.
9. Install.
10. Reboot.

OBSERVED RESULT
A luks device is created and a single slot is filled at the beginning of the
installation, when the disks are prepared. At the end of the installation,
there are 2 key slots in use and there is a definition for decryption of / with
a key file in /etc/crypttab.
After a reboot, / is automatically decrypted.

EXPECTED RESULT
A luks device is created and a single slot is filled at the beginning of the
installation, when the disks are prepared. At the end of the installation,
there is still only 1 key slot in use.
After a reboot, after grub and loading the kernel and initramfs, there is a
prompt for my password.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: neon-user-20200810-1423
(available in About System)
KDE Plasma Version: 5.19.4
KDE Frameworks Version: 5.72.0
Qt Version: 5.14.2

ADDITIONAL INFORMATION
I'm not sure how initram is able to get the key file, seeing how the decryption
key for root is also on root.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to