Public bug reported:
[Description]
This new feature of the installer adds a recovery key to the password page when
the user selects an encrypted installation.
The recovery key contains digits only and is generated automatically. The user
can write it down or save it to a file that can then be used as input to unlock
an encrypted volume.
This patch modifies the crypto page of the installer, the debconf
templates (which introduces new strings) and the related python code.
[Rationale]
This is a request from corporate users to recover machines where the primary
key has been lost (forgotten, user left the company, ...)
[Risks]
* Errors in python or UI code, either the installer won't load at all or the
security page will trigger a crash. These are both highly visible crashes. The
logs are in /var/log/syslog and /var/log/installer/
* Errors in the debconf templates: Some strings won't be translated on
non-english installations
* When the file browser opens verify that it opens in the right home directory.
If it fails it would be a minor issue, the user can still browse to a writable
location.
[Build]
Builds and tested successfully locally in live session and ubiquity-dm
[Other info]
Code reviewed, approved and already merged in main.
[Test Plan]
1. Start latest Focal iso, and install the deb package ubiquity,
ubiquity-frontend-gtk and ubiquity-ubuntu-artwork.
2. Proceed with the installation until the partitioning page.
3. Select "Advanced features"
4. In the new dialog, select LVM and check the box to enable encryption.
5. Close the dialog and continue installation
6. The page to enter a passphrase will be displayed.
7. Enter a passphrase.
8. In the "recovery key" section of the page, make the field visible to reveal
the automatically generated password. Verify that it contains only digits.
9. Click on the refresh button next to the field and verify that the password
is refreshed and contains only digits.
10. Write the password down.
11. Click on the file browser icon, and verify that the file browser opens in
the home directory of the user.
12. Create a new folder to write the key too and close the file browser window
13. Continue with installation to the end but do not reboot yet.
14. Open Nautilus or a terminal and verify that the key is saved to the
location you entered previously.
15. Verify that the content of the key matches the password that you wrote down
in step 10.
16. Reboot the machine.
17. At the password prompt of plymouth, enter the passphrase you entered at
step 7, press enter, and verify that the volume is unlocked and the machine
boots as expected.
18. Reboot the machine
19. At the password prompt of plymouth, enter the password you wrote down at
step 10, press enter, and verify that the volume is unlocked and the machine
boots as expected.
20. Repeat the test from ubiquity-dm (boot with systemd.unit=rescue.target, in
recovery mode systemctl start network-online.target, copy the debs with scp and
install them)
** Affects: ubiquity (Ubuntu)
Importance: Undecided
Status: New
** Merge proposal linked:
https://code.launchpad.net/~jibel/ubiquity/+git/ubiquity-1/+merge/397742
** Description changed:
[Description]
This new feature of the installer adds a recovery key to the password page
when the user selects an encrypted installation.
The recovery key contains digits only and is generated automatically. The
user can write it down or save it to a file that can then be used as input to
unlock an encrypted volume.
This patch modifies the crypto page of the installer, the debconf
templates (which introduces new strings) and the related python code.
[Rationale]
This is a request from corporate users to recover machines where the primary
key has been lost (forgotten, user left the company, ...)
[Risks]
* Errors in python or UI code, either the installer won't load at all or the
security page will trigger a crash. These are both highly visible crashes. The
logs are in /var/log/syslog and /var/log/installer/
* Errors in the debconf templates: Some strings won't be translated on
non-english installations
* When the file browser opens verify that it opens in the right home
directory. If it fails it would be a minor issue, the user can still browse to
a writable location.
[Build]
Builds and tested successfully locally in live session and ubiquity-dm
+
+ [Other info]
+ Code reviewed, approved and already merged in main.
[Test Plan]
1. Start latest Focal iso, and install the deb package ubiquity,
ubiquity-frontend-gtk and ubiquity-ubuntu-artwork.
2. Proceed with the installation until the partitioning page.
3. Select "Advanced features"
4. In the new dialog, select LVM and check the box to enable encryption.
5. Close the dialog and continue installation
6. The page to enter a passphrase will be displayed.
7. Enter a passphrase.
8. In the "recovery key" section of the page, make the field visible to
reveal the automatically generated password. Verify that it contains only
digits.
9. Click on the refresh button next to the field and verify that the password
is refreshed and contains only digits.
10. Write the password down.
11. Click on the file browser icon, and verify that the file browser opens in
the home directory of the user.
12. Create a new folder to write the key too and close the file browser window
13. Continue with installation to the end but do not reboot yet.
14. Open Nautilus or a terminal and verify that the key is saved to the
location you entered previously.
15. Verify that the content of the key matches the password that you wrote
down in step 10.
16. Reboot the machine.
17. At the password prompt of plymouth, enter the passphrase you entered at
step 7, press enter, and verify that the volume is unlocked and the machine
boots as expected.
18. Reboot the machine
19. At the password prompt of plymouth, enter the password you wrote down at
step 10, press enter, and verify that the volume is unlocked and the machine
boots as expected.
20. Repeat the test from ubiquity-dm (boot with systemd.unit=rescue.target,
in recovery mode systemctl start network-online.target, copy the debs with scp
and install them)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921358
Title:
[FFe] Master recovery key
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1921358/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
