Unable to change disk decryption passphrase
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnome-disk-utility (Arch Linux) |
New
|
Undecided
|
Unassigned | ||
gnome-disk-utility (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Versions:
Ubuntu 18.04 LTS
gnome-disk-utility 3.28.3-
-------
What I'm trying to do:
Change the disk decryption passphrase of key in any slot other than slot 0 while there is an existing key in slot 0 (e.g. changing the disk decryption passphrase of slot 1) using gnome-disk-utility.
Ran "Disks" > Selected my encrypted device partition > Clicked the gear icon > Selected "Change passphrase" > Entered the passphrase I wanted to change > Entered the passphrase I wanted to change to and confirmed it > clicked "Change".
-------
What I expected to happen:
After clicking "Change" I expected to get no errors and have the passphrase I wanted to change to be valid to decrypt the disk.
In the event of an error I expected the passphrase I was trying to change to still be valid to decrypt the disk.
-------
What is happening:
I get an error message pop-up:
Error changing passphrase
Error changing passphrase on device /dev/sda2/:Failed to add the new passphrase: Invalid argument (udisks-
And the key that I was trying to change gets deleted with no new key being added.
-------
(Before trying to change passphrase in key slot 2 using gnome-disk-utility)
sudo cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 0f 5d 66 ec 16 0b 0c f2 4b 0a 9f 99 28 41 59 64 e9 9d 75 64
MK salt: 89 e5 16 e5 e0 5d f5 63 f6 ba 2b f1 df e8 e6 1d
11 52 27 39 ff 87 4c 70 ab b7 49 a2 97 e0 46 41
MK iterations: 101875
UUID: c5754fe4-
Key Slot 0: ENABLED
Iterations: 426666
Salt: cb 25 fd 7d 14 ca af f1 6a 57 b9 b7 b8 7a 45 76
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 2074334
Salt: c2 cc 91 12 25 f4 80 21 d2 fa 91 44 ef 02 04 3e
Key material offset: 264
AF stripes: 4000
Key Slot 2: ENABLED
Iterations: 2090878
Salt: 47 fa 77 b7 f8 31 dc 48 ab 58 f7 25 a4 d5 c7 be
Key material offset: 520
AF stripes: 4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
-------
(After trying to change passphrase in key slot 2 using gnome-disk-utility)
sudo cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 0f 5d 66 ec 16 0b 0c f2 4b 0a 9f 99 28 41 59 64 e9 9d 75 64
MK salt: 89 e5 16 e5 e0 5d f5 63 f6 ba 2b f1 df e8 e6 1d
11 52 27 39 ff 87 4c 70 ab b7 49 a2 97 e0 46 41
MK iterations: 101875
UUID: c5754fe4-
Key Slot 0: ENABLED
Iterations: 426666
Salt: cb 25 fd 7d 14 ca af f1 6a 57 b9 b7 b8 7a 45 76
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 2074334
Salt: c2 cc 91 12 25 f4 80 21 d2 fa 91 44 ef 02 04 3e
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
-------
Troubleshooting:
I have found that:
* Changing the passphrase of the key in slot 0 while there are existing keys in any other slot works as expected (the passphrase is changed and no errors occur)
* Changing the passphrase of a key in any slot other than slot 0 while there is no existing key in slot 0 works as expected (the passphrase is changed and no errors occur)
-------
Replication:
To rule out this bug being caused by the way we build computers with 18.04 internally, I have installed Ubuntu 18.04 LTS on different hardware > set the disk to encrypted > added a key into slot 1 using: sudo cryptsetup luksAddKey /dev/sda5 > attempted to change said key by running "Disks" > Selected my encrypted device partition > Clicked the gear icon > Selected "Change passphrase" > Entered the passphrase I wanted to change > Entered the passphrase I wanted to change to and confirmed it > clicked "Change" and received the same error.
-------
Workaround:
The following command works as an alternative to changing the passphrase in "Disks":
sudo cryptsetup luksChangeKey /dev/[partition]
*where [partition] is the encrypted partition that you want to change the passphrase on.
This is not ideal as our users will want to use "Disks" to change the passphrase.
Status changed to 'Confirmed' because the bug affects multiple users.