AEM password also fed to disk decryption #978
Labels
C: other
help wanted
This issue will probably not get done in a timely fashion without help from community contributors.
P: major
Priority: major. Between "default" and "critical" in severity.
Comments
marmarek
added
bug
C: other
P: major
|
Happens only with plymouth enabled |
marmarek
added
the
help wanted
|
This bug report has been open for a very long time with no recent activity, and it is not assigned to any current release milestone. It looks like it was left open by mistake, so I'm closing it now. However, if anyone is still affected by this bug on a currently-supported release, please leave a comment, and we'll be happy to reopen this. Thank you. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If the AEM secret is protected by a TPM password, then that password, after unsealing the secret, will also be used silently to try and decrypt the disk. This can be verified by entering the disk password into the AEM password prompt.
The TPM password should of course be different from the LUKS password, so this bug will trigger #977: After entering the correct TPM password, you'll have to enter the correct disk password twice (at least if Qubes was installed with the btrfs layout).
(Tested on Qubes 3.0 RC1 with anti-evil-maid 2.0.7 and 2.0.8)
The text was updated successfully, but these errors were encountered: