On an encrypted Lubuntu installation, I have to type my passphrase twice

Bug #1975481 reported by Aaron Rainbolt
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
calamares (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Test hardware is an HP Z220 SFF Workstation, 32 GB RAM, 256 GB SSD + 1 TB SSD, UEFI, no secure boot. Test was done within Gnome Boxes, VM was given SeaBIOS, 4 GB RAM, 20 GB disk space. Host OS is Ubuntu Studio 22.04, guest OS is Lubuntu Kinetic.

If you install Lubuntu with the "Encrypt system" feature offered by Calamares, you will be asked early in the boot process for your security key. The system will not boot without it. When the security key is provided, the early boot screen (with the SeaBIOS text) disappears, and the Plymouth screen appears (well, due to Bug #1973150, you have to use a workaround to get it to appear, but whatever). You are then prompted for the security key again, which should be unnecessary.

Steps to reproduce:

1: Boot the latest Lubuntu Kinetic image in Gnome Boxes.
2: Open the Lubuntu installer.
3: At the partitioning step, use "Erase disk", set your swapfile preference to "No swap", check "Encrypt system", and enter a security key (I used "qwe" as my key, if it matters).
4: Plug in your user data and begin the installation.
5: Ensure that "Restart Now" is checked, then click "Done" to reboot into the newly installed OS.
6: Click on the Lubuntu Kinetic VM you just made in Gnome Boxes.
7: Type your passphrase, and press Enter.

Expected result: The system should proceed to finish the boot process and get you to a desktop.
Actual result: You are required to enter the passphrase a second time to finish the boot process.

Notes:

With Arch Linux, this is a known problem, and it appears to have a well-documented workaround here: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice I notice that, in the root directory of the encrypted system, there's a "crypto_keyfile.bin" file, which suggests to me that Calamares tried to implement a similar or identical workaround, but failed for some reason.

Also, considering the shortcomings of LUKS1 and the better security offered by LUKS2, I'm wondering if Calamares should be encrypting /boot at all? Why not just put /boot on a separate unencrypted partition, and let Plymouth handle decryption? Granted, this would allow installation of boot-level rootkits on a system without needing to break the encryption, but really, even encrypting /boot doesn't fully prevent that (I can think of at least two attacks that would circumvent an encrypted /boot in the absence of Secure Boot, no matter how good the encryption is), and if the data on the computer is sensitive enough to encrypt, it's probably way more valuable than the computer itself. Why use less effective data protection for the sake of a not-really-awesome bonus, when we could sacrifice the "bonus" in favor of better data protection? Anyway, just my two cents on the topic.

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :
tags: added: calamares encryption kinetic lubuntu luks
Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :
Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :
Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :
Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :
description: updated
Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1975481

tags: added: iso-testing
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in calamares (Ubuntu):
status: New → Confirmed
Revision history for this message
Leó Kolbeinsson (leok) wrote :

Confirm the original report:

Testing Lubuntu Kinetic daily ISO 23-05-2022

Lenovo YG SL 7 14ITL05 i5-1135G7 testing in VirtualBox

http://iso.qa.ubuntu.com/qatracker/milestones/433/builds/248721/testcases/1701/results/

Revision history for this message
Leó Kolbeinsson (leok) wrote :

Also tested Dell [Latitude] 7280, i5-7300U bare metal booting in UEFI+secure boot mode and same results - need to enter passphrase twice - once on boot menu and again before logon.

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :

As of June 23, 2022, this bug is no longer present in the latest Lubuntu Kinetic ISO.

Changed in calamares (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.