[Bug 2065510] Re: /lib/cryptsetup/scripts/decrypt_derived reveals encryption keys to non-root processes

Seth Arnold 2065510 at bugs.launchpad.net
Wed May 29 02:18:00 UTC 2024 

I've poked around a little bit and think this might not justify much
time to fix:

- it's suggested to be used in the initramfs, presumably before untrusted users are executing
- it's apparently not going to work with luks2 format, only luks1, and I believe we've switched the default to luks2

In an ideal world this would be written in a better language, but if it
hasn't already happened then it probably won't happen.

Thanks

** Changed in: cryptsetup (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2065510

Title:
  /lib/cryptsetup/scripts/decrypt_derived reveals encryption keys to
  non-root processes

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  the shell script

  /lib/cryptsetup/scripts/decrypt_derived

  has several commands using a secret encryption key as a command line
  argument, such as

  count="$(printf '%s' "$keys" | wc -l)"
          printf '%s' "$keys"

  
  Never ever put confidential data on command line, since command line arguments can be seen from all processes with ps

  ProblemType: Bug
  DistroRelease: Ubuntu 23.10
  Package: cryptsetup 2:2.6.1-4ubuntu3
  ProcVersionSignature: Ubuntu 6.5.0-26.26-generic 6.5.13
  Uname: Linux 6.5.0-26-generic x86_64
  NonfreeKernelModules: zfs
  ApportVersion: 2.27.0-0ubuntu5
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: LXQt
  Date: Sun May 12 00:34:41 2024
  InstallationDate: Installed on 2023-11-23 (170 days ago)
  InstallationMedia: Lubuntu 23.10 "Mantic Minotaur" - Release amd64 (20231010)
  SourcePackage: cryptsetup
  UpgradeStatus: No upgrade log present (probably fresh install)
  cmdline: BOOT_IMAGE=/boot/vmlinuz-6.5.0-26-generic root=UUID=2492f316-63b1-4d54-91c1-93977da2b542 ro quiet cryptdevice=UUID=7e853824-e105-467f-b0a2-58b3b2334318:luks-7e853824-e105-467f-b0a2-58b3b2334318 root=/dev/mapper/luks-7e853824-e105-467f-b0a2-58b3b2334318 splash vt.handoff=7

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2065510/+subscriptions

More information about the foundations-bugs mailing list