[Bug 1898129] Re: Cannot configure 'cryptsetup luksFormat' at install time

Mauricio Faria de Oliveira 1898129 at bugs.launchpad.net
Wed Jan 13 18:41:34 UTC 2021 

Verification done for focal-proposed (partman-crypto)
---

1) Booted the Ubuntu 20.04.1 Desktop ISO.
2) Launched a terminal, extracted the .udeb and copied over the crypto-base.sh file.
3) Performed installation to encrypted disk without the preseed option (default).
4) Performed installation to encrypted disk with the preseed option (testing).

On both cases, the installation finishes successfully, and the system can boot.
The LUKS header version is used as expected (LUKS2 by default, LUKS1 w/ option)

Details:
---

Launch terminal:

$ wget https://launchpad.net/ubuntu/+archive/primary/+files/partman-crypto_101ubuntu4.1_amd64.udeb
$ dpkg-deb -x partman-crypto_101ubuntu4.1_amd64.udeb udeb
$ sudo cp udeb/lib/partman/lib/crypto-base.sh /lib/partman/lib/crypto-base.sh

$ grep luksopts /lib/partman/lib/crypto-base.sh
	local mapping device cipher iv size pass luksopts
			luksopts="$RET"
			log "Additional options for luksFormat: '$luksopts'"
		log-output -t partman-crypto /sbin/cryptsetup -c $cipher-$iv -h $hash -s $size $luksopts luksFormat $device $pass
		
Launch ubiquity / Install Ubuntu 20.04.1 Desktop to Encrypted LVM device.
(In 'Installation type', select 'Erase disk and install Ubuntu', click in 'Advanced features', select 'Use LVM ...', select 'Encrypt ...', and move on to 'Install Now')

Launch terminal:

Without the option:

$ sudo debconf-get partman-crypto/luksformat_options
$ 


$ lsblk --ascii | grep -B1 crypt
`-vda6                252:6    0   8.8G  0 part  
  `-vda6_crypt        253:0    0   8.8G  0 crypt

$ sudo cryptsetup luksDump /dev/vda6 | head -n2
LUKS header information
Version:       	2

With the option:

$ sudo debconf-get partman-crypto/luksformat_options
--type luks1

$ lsblk --ascii | grep -B1 crypt
`-vda6                252:6    0   8.8G  0 part  
  `-vda6_crypt        253:0    0   8.8G  0 crypt
  
$ sudo cryptsetup luksDump /dev/vda6 | head -n3
LUKS header information for /dev/vda6

Version:        1

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1898129

Title:
  Cannot configure 'cryptsetup luksFormat' at install time

Status in partman-crypto package in Ubuntu:
  Invalid
Status in ubiquity package in Ubuntu:
  Fix Released
Status in partman-crypto source package in Focal:
  Fix Committed
Status in ubiquity source package in Focal:
  In Progress
Status in partman-crypto source package in Groovy:
  Invalid
Status in ubiquity source package in Groovy:
  Won't Fix
Status in partman-crypto source package in Hirsute:
  Invalid
Status in ubiquity source package in Hirsute:
  Fix Released
Status in partman-crypto package in Debian:
  Unknown

Bug description:
  [Impact]

   * Users cannot specify options for 'cryptsetup luksFormat'
     that is used by the installer.

   * Some deployments need the installed disks in LUKS1 format
     for backward compatibility with older releases that don't
     support LUKS2, for backup/audit/management purposes.

   * However, on Focal and later, cryptsetup defaults to LUKS2,
     which broke that functionality.
     
   * Currently it's not possible to request the LUKS format in
     the installer, so this patch allows for that w/ a preseed
     option ('partman-crypto/luksformat_options') for the user.

  [Test Case]

   * Default behavior: LUKS2
   
     - Install Ubuntu (Focal/later); check LUKS header version:
     
       $ sudo cryptsetup luksDump /dev/vda4
       LUKS header information
       Version: 2
       ...
       
   * Opt-in behavior: LUKS1 (for example; can use other options)
   
     - Install Ubuntu (Focal/later) with preseed file/option:

       ubiquity partman-crypto/luksformat_options string \
         --type luks1

     - Check LUKS header version:
     
       $ sudo cryptsetup luksDump /dev/vda4
       LUKS header information for /dev/vda4
       Version: 1
       ...

     - Check install logs for confirmation:
     
       $ grep luksFormat /var/log/partman
       /usr/bin/autopartition-crypto: Additional options for luksFormat: '--type luks1'
     
  [Where problems could occur]

   * The changes are contained within the partman-crypto functionality,
     so only install with encrypted disks should be affected by issues.

   * Any additional options specified to 'cryptsetup luksFormat' are
     opt-in _and_ specified by the user via the preseed option, thus
     errors are probably tied to particular options (mis) used.

   * If the preseed option is not specified, original behavior remains.

  [Other Info]
   
   * This patch is applied in Hirsute.
   * This patch is not needed in Groovy (rationale in comment #15.)
   * This patch is targeted at Focal (cryptsetup defaulted to LUKS2.)
   * This patch is not needed in Bionic/earlier (^defaults to LUKS1.)

  [Original Description]
  Most users should be fine with the options to
  'cryptsetup luksFormat' used by the installer.

  However, some users may have reasons to use
  other options, and that is not possible now.

  Let's provide a new preseed option for that:
  'partman-crypto/luksformat_options'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/partman-crypto/+bug/1898129/+subscriptions

More information about the foundations-bugs mailing list