[SRU] New feature: Encryption recovery key

Bug #1921091 reported by Jean-Baptiste Lallement
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubiquity (Ubuntu)
Fix Released
High
Unassigned
Focal
Fix Released
High
Jean-Baptiste Lallement

Bug Description

[Impact]
This new feature of the installer adds a recovery key to the password page when the user selects an encrypted installation.
The recovery key contains digits only and is generated automatically. The user can write it down or save it to a file that can then be used as input to unlock an encrypted volume.

This is a request from corporate users of the LTS to recover machines where the primary key has been lost (forgotten, user left the company, ...)

This patch modifies the crypto page of the installer, the debconf templates (which introduces new strings) and the related python code.

[Test Plan]
1. Start latest Focal iso, and install the deb package ubiquity, ubiquity-frontend-gtk and ubiquity-ubuntu-artwork.
2. Proceed with the installation until the partitioning page.
3. Select "Advanced features"
4. In the new dialog, select LVM and check the box to enable encryption.
5. Close the dialog and continue installation
6. The page to enter a passphrase will be displayed.
7. Enter a passphrase.
8. In the "recovery key" section of the page, make the field visible to reveal the automatically generated password. Verify that it contains only digits.
9. Click on the refresh button next to the field and verify that the password is refreshed and contains only digits.
10. Write the password down.
11. Click on the file browser icon, and verify that the file browser opens in the home directory of the user.
12. Create a new folder to write the key too and close the file browser window
13. Continue with installation to the end but do not reboot yet.
14. Open Nautilus or a terminal and verify that the key is saved to the location you entered previously.
15. Verify that the content of the key matches the password that you wrote down in step 10.
16. Reboot the machine.
17. At the password prompt of plymouth, enter the passphrase you entered at step 7, press enter, and verify that the volume is unlocked and the machine boots as expected.
18. Reboot the machine
19. At the password prompt of plymouth, enter the password you wrote down at step 10, press enter, and verify that the volume is unlocked and the machine boots as expected.
20. Repeat the test from ubiquity-dm (boot with systemd.unit=rescue.target, in recovery mode systemctl start network-online.target, copy the debs with scp and install them)

[Where problem could occur]
* Errors in python or UI code, either the installer won't load at all or the security page will trigger a crash. These are both highly visible crashes. The logs are in /var/log/syslog and /var/log/installer/
* Errors in the debconf templates: Some strings won't be translated on non-english installations
* When the file browser opens verify that it opens in the right home directory. If it fails it would be a minor issue, the user can still browse to a writable location.

[Other info]
The package builds on latest daily focal image (20210323)
Tested in live session and ubiquity-dm mode.

Changed in ubiquity (Ubuntu):
importance: Undecided → High
summary: - [SRU] Encryption recovery key
+ [SRU] New feature: Encryption recovery key
Changed in ubiquity (Ubuntu Focal):
importance: Undecided → High
Changed in ubiquity (Ubuntu):
status: New → Fix Released
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :
Changed in ubiquity (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Jean-Baptiste Lallement (jibel)
milestone: none → ubuntu-20.04.3
status: In Progress → Triaged
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Jean-Baptiste, or anyone else affected,

Accepted ubiquity into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubiquity/20.04.15.16 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubiquity (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

This patch is missing in scripts/plugininstall.py from focal and the install crashes in manual mode partitioning mode:

        disk = debconf_disk.split('/')[-1].replace('=', '/')
        if not disk: # disk is not set in manual partitioning mode
            syslog.syslog(
                syslog.LOG_ERR,
                'Determining installation disk failed. '
                'Setting a recovery key is supported only with partman-auto.')
            self.clean_crypto_keys()
            self.db.input('critical', 'ubiquity/install/broken_luks_add_key')
            self.db.go()
            return

tags: added: verification-failed verification-failed-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Jean-Baptiste, or anyone else affected,

Accepted ubiquity into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubiquity/20.04.15.17 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-focal
removed: verification-failed verification-failed-focal
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

I verified ubiquity 20.04.15.17 in both automated and manual partitioning and it works as expected. Marking as verification done.

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ubiquity has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity - 20.04.15.17

---------------
ubiquity (20.04.15.17) focal; urgency=medium

  [ Didier Roche ]
  [ Jean-Baptiste Lallement ]
  * Fixed crash message with manually created encrypted volumes

ubiquity (20.04.15.16) focal; urgency=medium

  * Automatic update of included source packages: shim-signed 1.40.6.

ubiquity (20.04.15.15) focal; urgency=medium

   [ Didier Roche ]
   [ Jean-Baptiste Lallement ]
   * Added support for recovery key (LP: #1921091)
     This adds a second key that can be used for recovery of encrypted
     partitions. The key is saved to a file to be stored on a secure location.
     It's a 48 digit password by default, its optional and editable.

 -- Didier Roche <email address hidden> Fri, 06 Aug 2021 10:08:08 +0200

Changed in ubiquity (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.