Luks-Crypt prints the Passphrase to the Boot Log
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
On my Jaunty-Desktop and my Karmic-Beta-Netbook i'am using Luks/Cryptsetup with a passphrase to encrypt the /home-Directory. To accomplish that, i added the following line to the /etc/crypttab files:
crypt-home /dev/sdb2 none luks
Additionally i added the following line to the /etc/fstab files:
/dev/mapper/
When i boot up the computer, the splash-app asks me for the passphrase and unlocks the partition nicely.
Once I booted up my Karmic-Netbook i accidentally saw my passphrase printed on the screen (!) before xsplash started, so I keeped track of the issue.
It seems that both Jaunty and Karmic print the Luks-Passphrase into the boot log, after unlocking the device.
On Jaunty it is visible shortly before gdm starts.
If I switch to /dev/tty8 via Ctrl-Alt-F8 while on Desktop I can still read the bootlog, including my more or less secret Luks-Passphrase.
It says:
* Starting init crypto disks...
* crypt-home (starting)
XXXXXXXX (my passphrase)
key slot 0 unlocked.
Command successful.
* crypt-home (started)...
...
I think this bug is a great security vulnerability for people who wan't to secure their computers or mobile devices, eg. notebooks/
| visibility: | private → public |
| Kees Cook (kees) wrote | #1 |
| Changed in ubuntu: | |
| status: | New → Confirmed |
| Enno Lohmeier (e-lohmeier-deactivatedaccount) wrote | #2 |
Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 104602, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Please continue to report any other bugs you may find.