https://bugs.kde.org/show_bug.cgi?id=425213
Bug ID: 425213 Summary: encrypted root with separate boot automatically decrypted during system startup. Product: neon Version: unspecified Platform: Neon Packages OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: Live/Install images Assignee: neon-b...@kde.org Reporter: jrfo...@xs4all.nl CC: j...@jriddell.org, neon-b...@kde.org, sit...@kde.org Target Milestone: --- Created attachment 130779 --> https://bugs.kde.org/attachment.cgi?id=130779&action=edit screenshots during install SUMMARY Calamares unlocks / with a key file, even if /boot is intentionally unencrypted. Not sure if this is a bug in Calamares or the setup that KDE Neon uses. I think the error is in the expectation that /boot is encrypted as well, in which case a key file for / is useful. But when /boot is unencrypted, this is an rather severe error. STEPS TO REPRODUCE Install KDE Neon with the following setup: 1. Select "Manual partitioning" 2. Select "New Partition Table" and choose MBR 3. Create new partition of size 1024 MiB, Primary, File System Ext4, Mount Point /boot. 4. Create new partition of remaining size, Primary, File System btrfs, Encrypt, Mount Point /. 5. Next 6. Read message about GPT 7. Read message about separate boot with encrypted root. 8. Fill out Users form. Do not login automatically. 9. Install. 10. Reboot. OBSERVED RESULT A luks device is created and a single slot is filled at the beginning of the installation, when the disks are prepared. At the end of the installation, there are 2 key slots in use and there is a definition for decryption of / with a key file in /etc/crypttab. After a reboot, / is automatically decrypted. EXPECTED RESULT A luks device is created and a single slot is filled at the beginning of the installation, when the disks are prepared. At the end of the installation, there is still only 1 key slot in use. After a reboot, after grub and loading the kernel and initramfs, there is a prompt for my password. SOFTWARE/OS VERSIONS Linux/KDE Plasma: neon-user-20200810-1423 (available in About System) KDE Plasma Version: 5.19.4 KDE Frameworks Version: 5.72.0 Qt Version: 5.14.2 ADDITIONAL INFORMATION I'm not sure how initram is able to get the key file, seeing how the decryption key for root is also on root. -- You are receiving this mail because: You are watching all bug changes.