Warning: ubuntu tpm recovery key cannot unlock disk outside of boot - eviltoast

Hi everybody, bit of a warning here: The recovery key generated during the installation of Ubuntu 23.10 (if you select tpm-backed fde) cannot be used to unlock the disk outside of boot, as in any ‘cryptsetup’ command and so on will not accept the recovery key. unlocking when accessed from different system does not work etc.

You can use it to unlock the disk while booting if your tpm somehow fails, but ONLY in that specific situation.

I kind of purposefully broke my tpm keys to see if it could be restored with 23.10 and ended up having to reinstal, as I ended up having to enter the recovery key at boot every time and no way of adding additional unlock options to the volume, as cryptsetup would not accept the recovery key as passphrase.

This bug could be very bad for new users.

See this bug report: https://bugs.launchpad.net/ubuntu-desktop-installer/+bug/2039741

    • ichbinjasokreativ@lemmy.worldOP
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      That’s true, but the issue is that cryptsetup does not accept the recovery key as a passphrase for the disk. Once the tpm gets reset, the user has to always enter the recovery key and cannot implement a new key to luks and the tpm.

        • ichbinjasokreativ@lemmy.worldOP
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          I wasn’t blaming cryptsetup, my mistake if it came across as though I did.

          Thank you for taking the time to look into a possible fix, I might just reinstall with tpm-backed fde again to see if this really works.

        • MAFoElffen@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          @Skull giver – I mentioned this above, but couldn’t link it to you.

          I like the code but the go run recover.go 2> key.text does not redirect the key to a file. It does not get input of the recovery key, so errors. Could you please add a few lines to write it directly to that file, instead of displaying it? (or output to both?)

          As someone thought, what is displayed onscreen is jibberish, because console cannot display raw hex characters… I’m thinking the LUKS key in the keyslot is raw or hex.

          As I now know, it is translated. And we can get the recovery key (hopefully) translated the other way around…

          If I can just find the valid key value, and write it to a file, then I can help @inchbinjasokreativ to write it back to his TPM. I’ve already written a BASH script to do that, but am just missing that key-file. I have the problem replicated to a VM, so can test it on that first.

            • MAFoElffen@lemmy.world
              link
              fedilink
              arrow-up
              3
              ·
              1 year ago

              Success! I have a working key file…

              root@ubuntu:/home/ubuntu/Downloads# cryptsetup -v luksOpen /dev/sda3 luks-01 --key-file ./key-file.key
              No usable token is available.
              Warning: keyslot operation could fail as it requires more than available memory.
              Key slot 1 unlocked.
              Command successful.
              root@ubuntu:/home/ubuntu/Downloads# cryptsetup -v luksOpen /dev/sda4 luks-02 --key-file ./key-file.key
              No usable token is available.
              Warning: keyslot operation could fail as it requires more than available memory.
              Key slot 1 unlocked.
              Command successful.
              

              Success on the first volume, which I picked as first because it was only 53M in size. Mounted it to /mnt… And guess what I found inside it?

              root@ubuntu:/home/ubuntu/Downloads# ls -l /mnt/device/private-keys-v1/
              total 4
              -rw------- 1 root root 2459 Oct 18 18:29 O8CbAEpnfm7jGKkMqnokmdMBlE1oV6Xma_bUNudlshDYPxE4aJNhbhiGnF360Ze4
              

              That is a key, but not connected to either LUKS container there… I dumped the headers of both LUKS. There are 2 key-slots, and the key translated from the recovery key is in slot one of both containers, The second key-slot’s key must be the TPM’s key, which is unknown if that is stored anywhere except the TPM…

              But is shouldn’t matter now… Because that key-file did work to add a new passphrase to both LUKS containers.

              Thank you @Skull giver.

    • kautau@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Yeah I’m hybrid Windows/Linux user, but many of my drives are Bitlocker encrypted. I need to install a bios update. To do so, it requires me to decrypt every bitlocker drive and not just the OS drive. Because the TPM keystore is based on the OS key store for each bitlocker drive. It’s frustrating, but it makes sense, so I’m all for additional security