Is this even necessary? I found `/var/lib/snapd/device/fde/recovery.key`

[Blaimi]

Hi there,

it took me ages to find out, how I can decrypt a TPM-Encrypted drive from a live-system or from an external system until I eventually stumbled upon this script. See also this ubuntuforums.org topic and this answer in discourse.ubuntu.com by @local-optimum where is mentioned, that “attempting to access data via an external device (in this case the live session) is an example of the attack vector this feature is designed to address”—which I absolutely disagree in this context! I used the documentation from #1 as a starting point and found out that it works like intended – thanks for this 😄.

At the end, it was an error-message which pointed me to the file /var/lib/snapd/device/fde/recovery.key. sudo snap recovery --show-keys is not working anymore on my device (I don't know why and I also care only a little why I didn't file it (yet)), but the error-message mentioned this file:

Fehler: cannot run keymgr tool: cannot run
        ["/usr/lib/snapd/snap-fde-keymgr" "add-recovery-key" "--key-file"
        "/var/lib/snapd/device/fde/recovery.key" "--devices"
        "/dev/disk/by-partuuid/4da6d9cb-7284-42b0-b3a9-efa4935faaf8"
        "--authorizations" "keyring" "--devices"
        "/dev/disk/by-partuuid/464a99d1-6401-4c36-b754-6dd113d7fcc4"
        "--authorizations"
        "file:/run/mnt/data/var/lib/snapd/device/fde/ubuntu-save.key"]: -----
        stderr: error: cannot add recovery key to LUKS device: cannot add key:
        cryptsetup failed with: Schlüsselfach 1 ist voll, bitte wählen Sie ein
        anderes. -----

(translated freely, because export LANG=C is ignored by snap: “slot 1 is already used, please use another one”)

I did a sudo diff /var/lib/snapd/device/fde/recovery.key key.out and guess what—it's empty.

I'm using now the command sudo cryptsetup luksAddKey /dev/nvme0n1p3 --key-file /var/lib/snapd/device/fde/recovery.key (and …p4 for the second encrypted partition) to add another key to be able to decrypt the drive with my own passphrase whenever I want to access it from an “external device (in this case the live session)”.

Thank you for all your work @jps-help and @lwbt which helped me to point this out. The public documentation on this feature coming from cannonical is even for an experimental feature totally bull 💩.

[lwbt]

I used the documentation from #1 as a starting point and found out that it works like intended – thanks for this 😄.

I'm glad it helped you.

sudo snap recovery --show-keys is not working anymore on my device

Is snapd, e.g. snap list, working? I had, and still have, an issue where snapd encounters an issue in pc and pc-kernel, which brings snapd to a fault, which triggers another systemd unit that should recover from such failures, but also fails.

I did a sudo diff /var/lib/snapd/device/fde/recovery.key key.out and guess what—it's empty.

That's a nice find, thank you, I can see some files there with content that might be helpful with my issue mentioned above.

I just checked my installation and my file has content. However I had reinstalled the machine which had an issue with the 24.04.1 media at the start of September. Check that snapd is running on your machine

Is this even necessary? I found /var/lib/snapd/device/fde/recovery.key

I's possible that silent major code changes introduced this. My system seemed to work fine from May until August with 24.04. Then it broke and I'm still trying to find ways to address such issues so that they can be resolved to prevent future damage to other users.

Last weekend I reviewed the bug and posts I created and made some changes and filed a new bug for my issue. I mailed the contact address for the snap store and pointed them the the new bug, but I have not received any feedback yet.

Since my PR has not been merged yet, I think JPS just put the script here as an answer to one of my posts in the thread you mentioned.

I was considering a fork to do the eventual maintenance work and documentation myself. Let me know if there is anything I can help with that can be done in a reasonable time frame.

[Blaimi]

I did a sudo diff /var/lib/snapd/device/fde/recovery.key key.out and guess what—it's empty.

I just checked my installation and my file has content. However I had reinstalled the machine which had an issue with the 24.04.1 media at the start of September. Check that snapd is running on your machine

Only to clarify this 😉 : I meant the output of the diff is empty, i.e. they have the same content which is 16 bytes.

Yes, they seem to have done some other changes as well since your documentation. I also have two encrypted partitions which are named ubuntu-save and ubuntu-data instead of ubuntu-data-enc

[jps-help]

To answer your initial question @Blaimi,

I wasn't aware the recovery key was available on the filesystem of the encrypted device. But good to know there is some other way to find/use it. I might add some information to the README.md about this.

However, I still think the script is useful because it allows you to generate a copy of the recovery.key using only the recovery string that snap recovery --show-keys outputs.

So if your system is completely broken, but you need access to the encrypted drive and only have the recovery string, you can still unlock the disk.