This bug was fixed in the package libblockdev - 2.20-7ubuntu0.1
---------------
libblockdev (2.20-7ubuntu0.1) disco; urgency=medium
[ intrigeri ]
* Use existing cryptsetup API for changing keyslot passphrase.
Cherry-pick upstream fix to use existing cryptsetup API for atomically
changing a keyslot passphrase, instead of deleting the old keyslot
before adding the new one. This avoids data loss when attempting to
change the passphrase of a LUKS2 device via udisks2, e.g. from GNOME
Disks.
Deleting a keyslot and then adding one is risky: if anything goes wrong
before the new keyslot is successfully added, no usable keyslot is left
and the device cannot be unlocked anymore. There's little chances this
causes actual problems with LUKS1, but LUKS2 defaults to the memory-hard
Argon2 key derivation algorithm, which is implemented in cryptsetup with
the assumption that it runs as root with no MEMLOCK ulimit; this
assumption is wrong when run by udisks2.service under
LimitMEMLOCK=65536, which breaks adding the new keyslot, and makes us
hit the problematic situation (user data loss) every time.
With this change, changing a LUKS2 passphrase via udisks2 will still
fail in some cases, until the MEMLOCK ulimit problem is solved in
cryptsetup or workaround'ed in udisks2. But at least, if it fails, it
will fail _atomically_ and the original passphrase will still work.
(Closes: #928893) (LP: #1837437)
-- Olivier Tilloy <olivier.til...@canonical.com> Thu, 25 Jul 2019
12:33:46 +0200
** Changed in: libblockdev (Ubuntu Disco)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libblockdev in Ubuntu.
https://bugs.launchpad.net/bugs/1837437
Title:
disk content permanently lost when changing LUKS password
Status in libblockdev package in Ubuntu:
Fix Released
Status in libblockdev source package in Disco:
Fix Released
Status in libblockdev package in Debian:
Unknown
Bug description:
[Impact]
Users with full disk encryption trying to change the encryption
passphrase in gnome-disks will get an error message, and after
rebooting neither the old passphrase nor the new one can unlock their
disk, rendering the machine unusable.
[Test Case]
(can be done in a virtual machine, for testing purposes)
1. Download a 19.04 ISO, and install it, choosing the full disk encryption
option
2. When rebooting after the installation is complete, you are prompted for
your passphrase to unlock the disk
3. Once logged in, open gnome-disks, select the encrypted disk and click the
contextual action to change the encryption passphrase
4. Enter your old passphrase and the new one (twice), as prompted, then click
OK
Expected result: the passphrase is changed successfully, and when
rebooting the new passphrase can unlock the disk
Current result: changing the passphrase fails, the user is presented
with an error message ("Error changing passphrase on device /dev/sda5:
Failed to add the new passphrase: Invalid argument (udisks-error-
quark, 0)"), and when rebooting neither the old passphrase nor the new
one can unlock the disk, which renders it unusable
To test the fix, the updated libblockdev* packages need to be
installed on the machine before attempting to change the encryption
passphrase in gnome-disks.
[Regression Potential]
The patch only touches code related to changing the LUKS encryption
passphrase, so non-encrypted disk setups should not be affected.
Scenarii with full-disk encryption should be carefully tested, including
changing an existing passphrase, adding and removing passphrases, both from the
gnome-disks UI and using the cryptsetup CLI.
[Original Description]
This is fixed upstream. Logging this bug to track the fix in to
Ubuntu.
From the upstream bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928893
Dear Maintainer,
* What led up to the situation?
Install system using normal full disk encryption LUKS+Ext4.
After install open gnome-disk-utility and change
encryption password. It gives some error dialog and
now you are royally screwed. It deleted the only
LUKS keyslot. Cannot add new keyslots because of that.
All data will be lost after reboot.
Here is output of luksdump:
udo cryptsetup luksDump /dev/sda5
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 3c16ad4c-294c-4547-bf3e-bb8864ba5ea3
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 59904
Salt: XX XX XX XX XX ....
Digest: XX XX XX XX XX ...
----------------------------------------
I changed salt and digest. No Keyslots are present!!!
I tried this 2 times in a row with new install,
exactly same result.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.0.8-xanmod5 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8),
LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-disk-utility depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.30.1-2
ii libatk1.0-0 2.30.0-2
ii libc6 2.28-10
ii libcairo2 1.16.0-4
ii libcanberra-gtk3-0 0.30-7
ii libdvdread4 6.0.1-1
ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1
ii libglib2.0-0 2.58.3-1
ii libgtk-3-0 3.24.5-1
ii liblzma5 5.2.4-1
ii libnotify4 0.7.7-4
ii libpango-1.0-0 1.42.4-6
ii libpangocairo-1.0-0 1.42.4-6
ii libpwquality1 1.4.0-3
ii libsecret-1-0 0.18.7-1
ii libsystemd0 241-3
ii libudisks2-0 2.8.1-4
ii udisks2 2.8.1-4
gnome-disk-utility recommends no packages.
gnome-disk-utility suggests no packages.
-- no debconf information
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libblockdev/+bug/1837437/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
