I have received an incoming security issue about our cryptsetup-helper program that works as part of the OEM install (in this case the June 2018 release). The cryptsetup-helper script that runs as part of /run/gnome-initial-setup logs the LUKS password the user sets into /var/log/auth.log because it accepts the password on the command line as part of the --password argument!
- Run through normal OEM install
- Reboot and set LUKS passphrase
- Login, open terminal, and type: sudo grep cryptsetup-helper /var/log/auth.log
- Read password in plain text!
Options to remedy:
- Disable logging for this script
- Provide the password to cryptsetup-helper.py without passing it on the command line