More helpful names/prompts for encrypted partitions

Bug #201413 reported by Chris Jones on 2008-03-12
6
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Low
Martin Pitt

Bug Description

Binary package hint: cryptsetup

Installing with Hardy Alternate, I chose the option to partition the disk with a single encrypted LVM. On boot I am prompted to enter the password for "sda5_crypt", which is not particularly friendly, and it may not be obvious to some users that that refers to the encryption password they set during the installer.

Perhaps something like "Please enter the decryption password for $HOSTNAME:", or "This computer is encrypted, please enter the password to continue:"

Martin Pitt (pitti) wrote :

Matthew, do you have an opinion what the string should be? Thank you!

Changed in cryptsetup:
assignee: nobody → pitti
importance: Undecided → Low
status: New → In Progress
Matthew Paul Thomas (mpt) wrote :

How about: "To unlock the ______ disk, you need to enter its password."

Martin Pitt (pitti) wrote :

Matthew, thanks for the suggestion. However, the _____ part is precisely what we'd like to get rid of. This is only for the root partition, i. e. there will only ever be one, and it does not have a meaningful name (it's usually called sth. like sda5_crypt).

Matthew Paul Thomas (mpt) wrote :

Ah! If there's only ever going to be one, then it can just be "To unlock the disk, you need to enter its password."

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:1.0.5-2ubuntu10

---------------
cryptsetup (2:1.0.5-2ubuntu10) hardy; urgency=low

  * debian/initramfs/cryptroot-script: Do not mention the name of the
    encrypted device. It is just technobabble anyway (sda4_crypt), and there
    is just one root partition ever, so it is not needed to tell apart
    different partitions. From a security POV, someone who can change your
    initramfs to boot a different root partition can just as well change the
    strings, too. (LP: #201413)

 -- Martin Pitt <email address hidden> Wed, 02 Apr 2008 15:51:53 +0200

Changed in cryptsetup:
status: In Progress → Fix Released

I have yet refrained from installing this update because I actually have to hard drives which are encrypted independently - so I am asked for two passwords each boot. How will this affect me? I use two different passwords so I need to tell the hard drives them appart.

How about introducing a check that if more than one drive is encrypted you do it's device name (or possibly its disk label, which should be human readable).

Christian Juner [2008-04-03 9:33 -0000]:
> I have yet refrained from installing this update because I actually have
> to hard drives which are encrypted independently - so I am asked for two
> passwords each boot. How will this affect me? I use two different
> passwords so I need to tell the hard drives them appart.

While you can certainly have more than one encrypted partition, you
can only ever have *one* root partition. This is where the string
changed. For other encrypted partitions, the prompt will continue to
contain a drive name.

David Härdeman (davidhardeman) wrote :

Martin Pitt:
> While you can certainly have more than one encrypted partition, you
> can only ever have *one* root partition. This is where the string
> changed. For other encrypted partitions, the prompt will continue to
> contain a drive name.

No, cryptsetup will setup multiple encrypted devices in the initramfs if you use crypto-on-lvm-on-multiple-disks and/or if you use suspend-to-encrypted-swap.

I have meanwhile installed the new version. I am asked "To unlock the disk you need to enter its password:" for both encrypted partitions.

Martin Pitt (pitti) wrote :

David Haerdeman [2008-04-05 21:46 -0000]:
> No, cryptsetup will setup multiple encrypted devices in the initramfs if
> you use crypto-on-lvm-on-multiple-disks and/or if you use suspend-to-
> encrypted-swap.

Oh, indeed this is a possible case, although it seems unnecessarily
weird and inconvenient to me? So it seems I need to revert that
change.

Changed in cryptsetup:
status: Fix Released → In Progress
Martin Pitt (pitti) on 2008-04-06
Changed in cryptsetup:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:1.0.5-2ubuntu11

---------------
cryptsetup (2:1.0.5-2ubuntu11) hardy; urgency=low

  * debian/initramfs/cryptroot-script: Do show the disk name after all, since
    some people use multiple encrypted partitions as LVM PVs. (LP: #201413)

 -- Martin Pitt <email address hidden> Sun, 06 Apr 2008 11:54:41 -0600

Changed in cryptsetup:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers