[Bug 1506995] Re: Ubiquity facilitate attack on crypto LUKS

[Phillip Susi]

Encryption is supposed to protect the data you store there *after*
enabling it, not *before*.  If you want to do both, then it should be
filled with /dev/urandom.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to user-setup in Ubuntu.
https://bugs.launchpad.net/bugs/1506995

Title:
  Ubiquity facilitate attack on crypto LUKS

Status in ubiquity package in Ubuntu:
  Triaged
Status in user-setup package in Ubuntu:
  Triaged

Bug description:
  In Ubiquity's script/user-setup-encrypted-swap, the crypt partition is
  zeroed. This leaves it more vulnerable to attacks. The attacker knows
  the partition is zeroed and can more easily find the encryption key.

  The included patch solves this issue, but this can also be done in a
  faster way by using openssl.

  Patched lines:

  dd if=/dev/urandom of=$device bs=16M seek=1 2>/dev/null || true

  Alternative approch:

  openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128
  count=1 2>/dev/null | base64)" -nosalt < /dev/zero | head -c $size |
  dd of=$target

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1506995/+subscriptions