Ubuntu
gnome-disk-utility package

Unable to change disk decryption passphrase

Bug #1790979 reported by Chelsea Finnie
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
gnome-disk-utility (Arch Linux)
New
Undecided
Unassigned
gnome-disk-utility (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Versions:

Ubuntu 18.04 LTS
gnome-disk-utility 3.28.3-0ubuntu1~18.04.1

------------------------------------------

What I'm trying to do:

Change the disk decryption passphrase of key in any slot other than slot 0 while there is an existing key in slot 0 (e.g. changing the disk decryption passphrase of slot 1) using gnome-disk-utility.

Ran "Disks" > Selected my encrypted device partition > Clicked the gear icon > Selected "Change passphrase" > Entered the passphrase I wanted to change > Entered the passphrase I wanted to change to and confirmed it > clicked "Change".

------------------------------------------

What I expected to happen:

After clicking "Change" I expected to get no errors and have the passphrase I wanted to change to be valid to decrypt the disk.

In the event of an error I expected the passphrase I was trying to change to still be valid to decrypt the disk.

------------------------------------------

What is happening:

I get an error message pop-up:

Error changing passphrase

Error changing passphrase on device /dev/sda2/:Failed to add the new passphrase: Invalid argument (udisks-error-quark, 0)

And the key that I was trying to change gets deleted with no new key being added.

------------------------------------------

(Before trying to change passphrase in key slot 2 using gnome-disk-utility)

sudo cryptsetup luksDump /dev/sda2

LUKS header information for /dev/sda2

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 0f 5d 66 ec 16 0b 0c f2 4b 0a 9f 99 28 41 59 64 e9 9d 75 64
MK salt: 89 e5 16 e5 e0 5d f5 63 f6 ba 2b f1 df e8 e6 1d
                11 52 27 39 ff 87 4c 70 ab b7 49 a2 97 e0 46 41
MK iterations: 101875
UUID: c5754fe4-0835-431f-996b-e2202c380d05

Key Slot 0: ENABLED
 Iterations: 426666
 Salt: cb 25 fd 7d 14 ca af f1 6a 57 b9 b7 b8 7a 45 76
                        9e 9b 3f ef 6a 3a e7 f6 18 24 7a 6e bb 0d 36 78
 Key material offset: 8
 AF stripes: 4000
Key Slot 1: ENABLED
 Iterations: 2074334
 Salt: c2 cc 91 12 25 f4 80 21 d2 fa 91 44 ef 02 04 3e
                        6d d8 85 ef b2 39 fb c2 94 f1 62 ee db 79 3c ed
 Key material offset: 264
 AF stripes: 4000
Key Slot 2: ENABLED
 Iterations: 2090878
 Salt: 47 fa 77 b7 f8 31 dc 48 ab 58 f7 25 a4 d5 c7 be
                        35 a3 83 6a 4d 1d bb 24 1c 38 12 2d f1 15 40 7f
 Key material offset: 520
 AF stripes: 4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

------------------------------------------

(After trying to change passphrase in key slot 2 using gnome-disk-utility)

sudo cryptsetup luksDump /dev/sda2

LUKS header information for /dev/sda2

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 0f 5d 66 ec 16 0b 0c f2 4b 0a 9f 99 28 41 59 64 e9 9d 75 64
MK salt: 89 e5 16 e5 e0 5d f5 63 f6 ba 2b f1 df e8 e6 1d
                11 52 27 39 ff 87 4c 70 ab b7 49 a2 97 e0 46 41
MK iterations: 101875
UUID: c5754fe4-0835-431f-996b-e2202c380d05

Key Slot 0: ENABLED
 Iterations: 426666
 Salt: cb 25 fd 7d 14 ca af f1 6a 57 b9 b7 b8 7a 45 76
                        9e 9b 3f ef 6a 3a e7 f6 18 24 7a 6e bb 0d 36 78
 Key material offset: 8
 AF stripes: 4000
Key Slot 1: ENABLED
 Iterations: 2074334
 Salt: c2 cc 91 12 25 f4 80 21 d2 fa 91 44 ef 02 04 3e
                        6d d8 85 ef b2 39 fb c2 94 f1 62 ee db 79 3c ed
 Key material offset: 264
 AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

------------------------------------------

Troubleshooting:

I have found that:

* Changing the passphrase of the key in slot 0 while there are existing keys in any other slot works as expected (the passphrase is changed and no errors occur)

* Changing the passphrase of a key in any slot other than slot 0 while there is no existing key in slot 0 works as expected (the passphrase is changed and no errors occur)

------------------------------------------

Replication:

To rule out this bug being caused by the way we build computers with 18.04 internally, I have installed Ubuntu 18.04 LTS on different hardware > set the disk to encrypted > added a key into slot 1 using: sudo cryptsetup luksAddKey /dev/sda5 > attempted to change said key by running "Disks" > Selected my encrypted device partition > Clicked the gear icon > Selected "Change passphrase" > Entered the passphrase I wanted to change > Entered the passphrase I wanted to change to and confirmed it > clicked "Change" and received the same error.

------------------------------------------

Workaround:

The following command works as an alternative to changing the passphrase in "Disks":

sudo cryptsetup luksChangeKey /dev/[partition]

*where [partition] is the encrypted partition that you want to change the passphrase on.

This is not ideal as our users will want to use "Disks" to change the passphrase.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-disk-utility (Ubuntu):
status: New → Confirmed
Revision history for this message
Samuel (samuel1428-deactivatedaccount) wrote :

This bug occurred for me with a fresh installation of Ubuntu 19.04.
I created a new installation of Ubuntu 19.04 on a empty disk and checked the box to encrypt the installation. After the installation I tried to change the password and got locked out.

This is the output of sudo cryptsetup luksDump /dev/sda3 after the failed attempt to change my password:

LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 233e3965-3d97-4619-969e-ab9ef9b379d8
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)

Data segments:
  0: crypt
 offset: 16777216 [bytes]
 length: (whole device)
 cipher: aes-xts-plain64
 sector: 512 [bytes]

Keyslots:
Tokens:
Digests:
  0: pbkdf2
 Hash: sha256
 Iterations: 37406
 Salt: ec 30 aa 1b 97 ef d1 a5 fb b4 1f ba 58 a9 f6 6d
             e9 d8 c4 73 b4 1b b9 c0 52 ff bf 2f e9 93 d8 47
 Digest: f3 dd bb 32 f3 69 45 26 76 86 9a c4 4c d4 41 d4
             67 bc f1 10 b3 65 87 d6 3b 51 1d 52 f1 d6 1d 9f

Revision history for this message
Felipe Oliveira (felipebr) wrote :

I just got this error and there is no way to recover my data? It's lost? Such a critical bug and no solution?!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.