canonical-ubuntu-qa team mailing list archive

Thread
Date

[Bug 2016912] Re: Installing with full disk encryption when using a non-English keyboard layout results in difficulties unlocking the disk

To: canonical-ubuntu-qa@xxxxxxxxxxxxxxxxxxx
From: Simon Quigley <2016912@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Dec 2023 18:51:15 -0000
Reply-to: Bug 2016912 <2016912@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Hey sudodus, I realize I didn't explain myself very well!

This decision is after a *lot* of discussion and back/forth from
Foundations and Security where we asked all these questions in detail.
The specific person I spoke with has 20 years of experience with Linux
Security (and the other is a GRUB maintainer).

The benefit of having *full* disk encryption is the idea of increased
security. That's about it. The security impact is actually negligible,
encrypted /boot takes 3x longer to boot, it doesn't have support for
other keyboard layouts, and the icing on the cake is that we're actually
relying on GRUB's built-in encryption algorithms, which aren't checked
for vulnerabilities.

To quote the incredibly experienced member of the Security Team:
> IMHO it's hard to see value from encrypting the boot process: an attacker could replace either one just fine, right? That's where the signatures come in, but that really only helps if the measurements contribute to unsealing a key for the rest of the data, and I'm not sure that's really there for most platforms yet

If there's anything we failed to consider here, please say so. I just
think, unfortunately we've had the wrong defaults for a while. Let me
know if you have any questions.

--
You received this bug notification because you are a member of
Canonical's Ubuntu QA, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2016912

Title:
Installing with full disk encryption when using a non-English keyboard
layout results in difficulties unlocking the disk

Status in calamares package in Ubuntu:
Confirmed

Bug description:
Steps to reproduce:

1. Boot the Lubuntu Lunar Final ISO.
2. Launch Calamares and set the language to "Spanish (Mexico)".
3. Proceed through the installer until you get to the partitioning screen.
4. At the partitioning screen, enable encryption and type a passphrase that includes a double-quote symbol.
- On a Spanish keyboard the double-quote symbol is on the same key as the @ symbol on an English keyboard. So if you have an English keyboard, type a passphrase like P@ssphrase1 or something.
5. Finish the installation process.
6. Reboot.
7. Attempt to enter the disk passphrase exactly as you had entered it into Calamares.

Expected result: The disk should unlock and Lubuntu should boot.

Actual result: An "access denied" error is shown and you are dropped
to a "grub rescue>" prompt. You can unlock the disk if you reboot and
type the passphrase, but using the English double-quote rather than
the Spanish one. (For instance, if you have an English keyboard, you
would have typed P@ssphrase1 into Calamares but would then have to
type P"ssphrase1 to unlock the disk.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/2016912/+subscriptions