Is this even necessary? I found /var/lib/snapd/device/fde/recovery.key
#2
Comments
I'm glad it helped you.
Is snapd, e.g.
That's a nice find, thank you, I can see some files there with content that might be helpful with my issue mentioned above. I just checked my installation and my file has content. However I had reinstalled the machine which had an issue with the 24.04.1 media at the start of September. Check that snapd is running on your machine
I's possible that silent major code changes introduced this. My system seemed to work fine from May until August with 24.04. Then it broke and I'm still trying to find ways to address such issues so that they can be resolved to prevent future damage to other users. Last weekend I reviewed the bug and posts I created and made some changes and filed a new bug for my issue. I mailed the contact address for the snap store and pointed them the the new bug, but I have not received any feedback yet. Since my PR has not been merged yet, I think JPS just put the script here as an answer to one of my posts in the thread you mentioned. I was considering a fork to do the eventual maintenance work and documentation myself. Let me know if there is anything I can help with that can be done in a reasonable time frame. |
Only to clarify this 😉 : I meant the output of the Yes, they seem to have done some other changes as well since your documentation. I also have two encrypted partitions which are named |
|
To answer your initial question @Blaimi, I wasn't aware the recovery key was available on the filesystem of the encrypted device. But good to know there is some other way to find/use it. I might add some information to the README.md about this. However, I still think the script is useful because it allows you to generate a copy of the So if your system is completely broken, but you need access to the encrypted drive and only have the recovery string, you can still unlock the disk. |
Hi there,
it took me ages to find out, how I can decrypt a TPM-Encrypted drive from a live-system or from an external system until I eventually stumbled upon this script. See also this ubuntuforums.org topic and this answer in discourse.ubuntu.com by @local-optimum where is mentioned, that “attempting to access data via an external device (in this case the live session) is an example of the attack vector this feature is designed to address”—which I absolutely disagree in this context! I used the documentation from #1 as a starting point and found out that it works like intended – thanks for this 😄.
At the end, it was an error-message which pointed me to the file
/var/lib/snapd/device/fde/recovery.key.sudo snap recovery --show-keysis not working anymore on my device (I don't know why and I also care only a little why I didn't file it (yet)), but the error-message mentioned this file:(translated freely, because
export LANG=Cis ignored by snap: “slot 1 is already used, please use another one”)I did a
sudo diff /var/lib/snapd/device/fde/recovery.key key.outand guess what—it's empty.I'm using now the command
sudo cryptsetup luksAddKey /dev/nvme0n1p3 --key-file /var/lib/snapd/device/fde/recovery.key(and…p4for the second encrypted partition) to add another key to be able to decrypt the drive with my own passphrase whenever I want to access it from an “external device (in this case the live session)”.Thank you for all your work @jps-help and @lwbt which helped me to point this out. The public documentation on this feature coming from cannonical is even for an experimental feature totally bull 💩.
The text was updated successfully, but these errors were encountered: