@@ -30,13 +30,13 @@ const (
3030 infoSuccessTitle = "Encryption key escrow"
3131 infoSuccessText = "Key escrowed successfully."
3232 maxKeySlots = 8
33+ userKeySlot = 0 // Key slot 0 is assumed to be the location of the user's passphrase
3334)
3435
3536var ErrKeySlotFull = regexp .MustCompile (`Key slot \d+ is full` )
3637
3738func (lr * LuksRunner ) Run (oc * fleet.OrbitConfig ) error {
38- ctx , cancel := context .WithCancel (context .Background ())
39- defer cancel ()
39+ ctx := context .Background ()
4040
4141 if ! oc .Notifications .RunDiskEncryptionEscrow {
4242 return nil
@@ -65,28 +65,38 @@ func (lr *LuksRunner) Run(oc *fleet.OrbitConfig) error {
6565 }
6666
6767 if err := lr .escrower .SendLinuxKeyEscrowResponse (response ); err != nil {
68+ // If sending the response fails, remove the key slot
69+ if keyslot != nil {
70+ if err := removeKeySlot (ctx , devicePath , * keyslot ); err != nil {
71+ log .Error ().Err (err ).Msg ("failed to remove key slot" )
72+ }
73+ }
74+
75+ // Show error in dialog
6876 if err := lr .infoPrompt (ctx , infoFailedTitle , infoFailedText ); err != nil {
69- log .Debug ().Err (err ).Msg ("failed to show failed escrow key dialog" )
77+ log .Info ().Err (err ).Msg ("failed to show failed escrow key dialog" )
7078 }
79+
7180 return fmt .Errorf ("escrower escrowKey err: %w" , err )
7281 }
7382
7483 if response .Err != "" {
7584 if err := lr .infoPrompt (ctx , infoFailedTitle , response .Err ); err != nil {
76- log .Debug ().Err (err ).Msg ("failed to show failed escrow key dialog" )
85+ log .Info ().Err (err ).Msg ("failed to show response error dialog" )
7786 }
7887 return fmt .Errorf ("error getting linux escrow key: %s" , response .Err )
7988 }
8089
8190 // Show success dialog
8291 if err := lr .infoPrompt (ctx , infoSuccessTitle , infoSuccessText ); err != nil {
83- log .Debug ().Err (err ).Msg ("failed to show success escrow key dialog" )
92+ log .Info ().Err (err ).Msg ("failed to show success escrow key dialog" )
8493 }
8594
8695 return nil
8796}
8897
8998func (lr * LuksRunner ) getEscrowKey (ctx context.Context , devicePath string ) ([]byte , * uint , error ) {
99+ // AESXTSPlain64Cipher is the default cipher used by ubuntu/kubuntu/fedora
90100 device := luksdevice .New (luksdevice .AESXTSPlain64Cipher )
91101
92102 // Prompt user for existing LUKS passphrase
@@ -133,16 +143,16 @@ func (lr *LuksRunner) getEscrowKey(ctx context.Context, devicePath string) ([]by
133143 return nil , nil , fmt .Errorf ("Failed to generate random passphrase: %w" , err )
134144 }
135145
136- // Create a new key slot, error if all key slots are full
137- // keySlot 0 is assumed to be the user's passphrase
138- // so we start at 1
139- var keySlot uint = 1
146+ // Create a new key slot and error if all key slots are full
147+ // Start at slot 1 as keySlot 0 is assumed to be the location of
148+ // the user's passphrase
149+ var keySlot uint = userKeySlot + 1
140150 for {
141151 if keySlot == maxKeySlots {
142152 return nil , nil , errors .New ("all LUKS key slots are full" )
143153 }
144154
145- userKey := encryption .NewKey (0 , passphrase )
155+ userKey := encryption .NewKey (userKeySlot , passphrase )
146156 escrowKey := encryption .NewKey (int (keySlot ), escrowPassphrase )
147157
148158 if err := device .AddKey (ctx , devicePath , userKey , escrowKey ); err != nil {
@@ -286,3 +296,12 @@ func getSaltforKeySlot(ctx context.Context, devicePath string, keySlot uint) (st
286296
287297 return slot .KDF .Salt , nil
288298}
299+
300+ func removeKeySlot (ctx context.Context , devicePath string , keySlot uint ) error {
301+ cmd := exec .CommandContext (ctx , "cryptsetup" , "luksKillSlot" , devicePath , fmt .Sprintf ("%d" , keySlot ))
302+ if err := cmd .Run (); err != nil {
303+ return fmt .Errorf ("Failed to run cryptsetup luksKillSlot: %w" , err )
304+ }
305+
306+ return nil
307+ }
0 commit comments