Unable to change disk decryption passphrase

Bug #1790979 reported by Chelsea Finnie on 2018-09-05
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnome-disk-utility (Ubuntu)
Undecided
Unassigned

Bug Description

Versions:

Ubuntu 18.04 LTS
gnome-disk-utility 3.28.3-0ubuntu1~18.04.1

------------------------------------------

What I'm trying to do:

Change the disk decryption passphrase of key in any slot other than slot 0 while there is an existing key in slot 0 (e.g. changing the disk decryption passphrase of slot 1) using gnome-disk-utility.

Ran "Disks" > Selected my encrypted device partition > Clicked the gear icon > Selected "Change passphrase" > Entered the passphrase I wanted to change > Entered the passphrase I wanted to change to and confirmed it > clicked "Change".

------------------------------------------

What I expected to happen:

After clicking "Change" I expected to get no errors and have the passphrase I wanted to change to be valid to decrypt the disk.

In the event of an error I expected the passphrase I was trying to change to still be valid to decrypt the disk.

------------------------------------------

What is happening:

I get an error message pop-up:

Error changing passphrase

Error changing passphrase on device /dev/sda2/:Failed to add the new passphrase: Invalid argument (udisks-error-quark, 0)

And the key that I was trying to change gets deleted with no new key being added.

------------------------------------------

(Before trying to change passphrase in key slot 2 using gnome-disk-utility)

sudo cryptsetup luksDump /dev/sda2

LUKS header information for /dev/sda2

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 0f 5d 66 ec 16 0b 0c f2 4b 0a 9f 99 28 41 59 64 e9 9d 75 64
MK salt: 89 e5 16 e5 e0 5d f5 63 f6 ba 2b f1 df e8 e6 1d
                11 52 27 39 ff 87 4c 70 ab b7 49 a2 97 e0 46 41
MK iterations: 101875
UUID: c5754fe4-0835-431f-996b-e2202c380d05

Key Slot 0: ENABLED
 Iterations: 426666
 Salt: cb 25 fd 7d 14 ca af f1 6a 57 b9 b7 b8 7a 45 76
                        9e 9b 3f ef 6a 3a e7 f6 18 24 7a 6e bb 0d 36 78
 Key material offset: 8
 AF stripes: 4000
Key Slot 1: ENABLED
 Iterations: 2074334
 Salt: c2 cc 91 12 25 f4 80 21 d2 fa 91 44 ef 02 04 3e
                        6d d8 85 ef b2 39 fb c2 94 f1 62 ee db 79 3c ed
 Key material offset: 264
 AF stripes: 4000
Key Slot 2: ENABLED
 Iterations: 2090878
 Salt: 47 fa 77 b7 f8 31 dc 48 ab 58 f7 25 a4 d5 c7 be
                        35 a3 83 6a 4d 1d bb 24 1c 38 12 2d f1 15 40 7f
 Key material offset: 520
 AF stripes: 4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

------------------------------------------

(After trying to change passphrase in key slot 2 using gnome-disk-utility)

sudo cryptsetup luksDump /dev/sda2

LUKS header information for /dev/sda2

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 0f 5d 66 ec 16 0b 0c f2 4b 0a 9f 99 28 41 59 64 e9 9d 75 64
MK salt: 89 e5 16 e5 e0 5d f5 63 f6 ba 2b f1 df e8 e6 1d
                11 52 27 39 ff 87 4c 70 ab b7 49 a2 97 e0 46 41
MK iterations: 101875
UUID: c5754fe4-0835-431f-996b-e2202c380d05

Key Slot 0: ENABLED
 Iterations: 426666
 Salt: cb 25 fd 7d 14 ca af f1 6a 57 b9 b7 b8 7a 45 76
                        9e 9b 3f ef 6a 3a e7 f6 18 24 7a 6e bb 0d 36 78
 Key material offset: 8
 AF stripes: 4000
Key Slot 1: ENABLED
 Iterations: 2074334
 Salt: c2 cc 91 12 25 f4 80 21 d2 fa 91 44 ef 02 04 3e
                        6d d8 85 ef b2 39 fb c2 94 f1 62 ee db 79 3c ed
 Key material offset: 264
 AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

------------------------------------------

Troubleshooting:

I have found that:

* Changing the passphrase of the key in slot 0 while there are existing keys in any other slot works as expected (the passphrase is changed and no errors occur)

* Changing the passphrase of a key in any slot other than slot 0 while there is no existing key in slot 0 works as expected (the passphrase is changed and no errors occur)

------------------------------------------

Replication:

To rule out this bug being caused by the way we build computers with 18.04 internally, I have installed Ubuntu 18.04 LTS on different hardware > set the disk to encrypted > added a key into slot 1 using: sudo cryptsetup luksAddKey /dev/sda5 > attempted to change said key by running "Disks" > Selected my encrypted device partition > Clicked the gear icon > Selected "Change passphrase" > Entered the passphrase I wanted to change > Entered the passphrase I wanted to change to and confirmed it > clicked "Change" and received the same error.

------------------------------------------

Workaround:

The following command works as an alternative to changing the passphrase in "Disks":

sudo cryptsetup luksChangeKey /dev/[partition]

*where [partition] is the encrypted partition that you want to change the passphrase on.

This is not ideal as our users will want to use "Disks" to change the passphrase.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-disk-utility (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers