425213 – encrypted root with separate boot automatically decrypted during system startup.

Bug 425213 - encrypted root with separate boot automatically decrypted during system startup.

Summary: encrypted root with separate boot automatically decrypted during system startup.

Status:	RESOLVED FIXED

Alias:	None

Product:	neon
Classification:	KDE Neon
Component:	Live/Install images (show other bugs)
Version:	unspecified
Platform:	Neon Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Neon Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-08-11 09:24 UTC by Jeroen
Modified:	2023-09-13 13:15 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
screenshots during install (329.32 KB, application/gzip) 2020-08-11 09:24 UTC, Jeroen	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen 2020-08-11 09:24:09 UTC

Created attachment 130779 [details]
screenshots during install

SUMMARY
Calamares unlocks / with a key file, even if /boot is intentionally unencrypted. Not sure if this is a bug in Calamares or the setup that KDE Neon uses. I think the error is in the expectation that /boot is encrypted as well, in which case a key file for / is useful. But when /boot is unencrypted, this is an rather severe error.

STEPS TO REPRODUCE
Install KDE Neon with the following setup:
1. Select "Manual partitioning"
2. Select "New Partition Table" and choose MBR
3. Create new partition of size 1024 MiB, Primary, File System Ext4, Mount Point /boot.
4. Create new partition of remaining size, Primary, File System btrfs, Encrypt, Mount Point /.
5. Next
6. Read message about GPT
7. Read message about separate boot with encrypted root.
8. Fill out Users form. Do not login automatically.
9. Install.
10. Reboot.

OBSERVED RESULT
A luks device is created and a single slot is filled at the beginning of the installation, when the disks are prepared. At the end of the installation, there are 2 key slots in use and there is a definition for decryption of / with a key file in /etc/crypttab.
After a reboot, / is automatically decrypted.

EXPECTED RESULT
A luks device is created and a single slot is filled at the beginning of the installation, when the disks are prepared. At the end of the installation, there is still only 1 key slot in use.
After a reboot, after grub and loading the kernel and initramfs, there is a prompt for my password.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: neon-user-20200810-1423
(available in About System)
KDE Plasma Version: 5.19.4
KDE Frameworks Version: 5.72.0
Qt Version: 5.14.2

ADDITIONAL INFORMATION
I'm not sure how initram is able to get the key file, seeing how the decryption key for root is also on root.

Comment 1 Jeroen 2020-08-11 09:37:31 UTC

It is possible the following is related, in which case I would like a big fat warning that it is not only less secure but completely insecure:
https://github.com/calamares/calamares/issues/1311#issuecomment-579741764

Right now it is written in a way to make people aware of the evil maid attack (which is fine by me, because if somebody steals my laptop I woun't be able to type in my password anyway), not the "we put the decryption key in the initram so your encrypted root is useless unless you encrypt your /boot as well".

Why would you even put your decryption key in initram by default?

Is a workaround for now to remove the entry from /etc/crypttap and remove the key from initram?

Comment 2 Malte S. Stretz 2023-09-13 13:15:41 UTC

Luckily this was fixed upstream in the meantime.