[18.10 FEAT] Protected key dm-crypt key management tool

Bug #1775627 reported by bugproxy on 2018-06-07
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Dimitri John Ledkov
s390-tools (Ubuntu)
Skipper Bug Screeners

Bug Description

Support the usage of protected key crypto for dm-crypt disks in plain format by providing a tool to manage a key repository allowing to associate secure keys with disk partitions or logical volumes.

Made available with s390-tools.2.4.0.

With Ubuntu 18.10 a newer kernel and tools will be provided.

bugproxy (bugproxy) on 2018-06-07
tags: added: architecture-s39064 bugnameltc-168700 severity-high targetmilestone-inin1810
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes) on 2018-06-07
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dimitri John Ledkov (xnox)
information type: Private → Public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.5.0-0ubuntu1

s390-tools (2.5.0-0ubuntu1) cosmic; urgency=medium

  * New upstream release LP: #1776907 LP: #1775627 LP: #1775632
  * Drop udevadm patch, no longer needed
  * Refresh patches
  * Import upstream patches since v2.5.0 LP: #1777600

 -- Dimitri John Ledkov <email address hidden> Tue, 24 Jul 2018 17:00:03 +0100

Changed in s390-tools (Ubuntu):
status: New → Fix Released
Frank Heimes (fheimes) on 2018-07-24
Changed in ubuntu-z-systems:
status: Triaged → Fix Released

------- Comment From <email address hidden> 2018-07-25 02:55 EDT-------
IBM bugzilla status -> closed ; Fix Released by Canoncal and available with Cosmic

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-08-29 03:32 EDT-------
Even the Launchpad is close, I would like to share addl. information for this lineitem...

A new group 'zkeyadm' needs to be created and all users intending to use the tool must be added to this group. The owner of the default key repository '/etc/zkey/repository' must be set to group 'zkeyadm' with write permission for this group.

Not sure if another LP is required for it....

Dimitri John Ledkov (xnox) wrote :

It most likely needs a github issue on s390-tools repo there *and* an lp issue.

Ideally, s390-tools upstream would ship a systemd-tmpfiles tmpfiles.d snippet to create the repository and set group. and a systemd-sysuers sysusers.d to create the revelant group, if not already.

(on ubuntu side we do use tmpfiles.d but not sysusers.d, thus we'd need to modify a few distro-specific things)

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-08-31 10:03 EDT-------
IBM will not add this systemd update into the s390tools package.

Please use this as a pattern for implementation. Many thx in advance

Example for an RPM, which need to be adapted to DEB packages.

The RPM spec file should have the following statements at the desired places:

%pre base
# check for zkeyadm group and create it
getent group zkeyadm > /dev/null || groupadd -r zkeyadm

%files base
%dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey
%dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey/repository

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers