Disk encryption & key escrow (LUKS) for Ubuntu and Fedora Linux

[noahtalerman]

Goal

User story
As an IT admin,
I want to encrypt my Ubuntu Linux and Fedora Linux workstations and escrow the key to Fleet
so that my team can get access to encrypted data w/o the local password when an employee who used Linux leaves the company.

Key result

Deliver customer promises

Original request

• 19594

Context

• Product designer: @rachaelshaw

Changes

Product

• [x] UI changes: Figma
• [x] CLI (fleetctl) usage changes: N/A
• [x] YAML changes: Use existing disk encryption YAML settings
• [x] REST API changes: Draft PR
• [x] Fleet's agent (fleetd) changes: N/A
• [x] Activity changes: Use existing activity for viewing disk encryption key (no change)
• [x] Permissions changes: N/A
• [x] Changes to paid features or tiers: Fleet Premium
• [x] Other reference documentation changes:
  • [x] Update descriptions for all disk encryption API docs that specify they're for macOS and Windows.
  • [ ] Update language in "Enforce disk enrcyption" guide
• [ ] Once shipped, requester has been notified

Engineering

• [ ] Feature guide changes:
  • [ ] Add Linux instructions to https://fleetdm.com/guides/enforce-disk-encryption
  • @noahtalerman: I think we want to include instructions for the entire journey: Linux workstation is encrypted, workstation is sent back to IT admin (b/c employee left company), IT admin logs in to workstation w/ disk encryption key.
  • Make it clear that that end users have to enforce disk encryption during onboarding/setup
  • [ ] New guide for how to turn on disk encryption (audience: end users)
    • Try the ChatGPT instructions from @lucasmrod's doc to see if it will work. If so, include that in the guide for hosts that are already enrolled and have disk encryption off. (“How to resolve failing Linux hosts”)
• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

• Test supported OSes for this feature: Ubuntu, kubuntu, Fedora
• Test feature does not appear on other Fleet supported Linux OSes

Testing notes

• @noahtalerman: customer-numa has Ubuntu Linux 20, 22, and 24 workstations. They also have Fedora and Kubuntu Linux workstations.
  • TODO: @noahtalerman: What versions of Fedora and Kubuntu?

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[allenhouchins]

Feedback from a prospect on the importance of this feature and perceived challenges with how we might be implementing: https://us-65885.app.gong.io/call?id=5838738012422416070&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A724%2C%22to%22%3A1385%7D%5D

[noahtalerman]

• [ ] Feature guide changes: @noahtalerman: I think we want to include instructions for the entire journey: Linux workstation is encrypted, workstation is sent back to IT admin (b/c employee left company), IT admin logs in to workstation w/ disk encryption key.

@sharon-fdm FYI I added this feature guide request (see issue description) for this user story. I think this user story is coming to estimation soon.

cc @rachaelshaw

[noahtalerman]

Feedback from a prospect on the importance of this feature and perceived challenges with how we might be implementing: https://us-65885.app.gong.io/call?id=5838738012422416070&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A724%2C%22to%22%3A1385%7D%5D

@allenhouchins thanks!

Heads up that I moved this info to the original request (bullets in top of issue description here).

We want that request issue to be the main document for all research (Gong snippets, feedback/thoughts, etc.). That way, we can reference it to help decide if we need to peel more user story issues (like this one) off of the request to call the request done/addressed.

[sharon-fdm]

Estimates: FE: 3 BE: Timebox 2 points to learn/investigate what's needed.

[sharon-fdm]

@noahtalerman, the previous encryptions for Macos and Windows were done by MDM team so it's hard for us to estimate immediately. We timeboxed 2 points to ramp on it so we'll have a better estimation. Keeping it in "Ready for spec" for now.

[lukeheath]

@rachaelshaw I noticed you added and removed the customer/prospect labels, which I think was on accident, so I'm adding them back. Please let me know if I'm wrong. Thanks!

[rachaelshaw]

I noticed you added and removed the customer/prospect labels, which I think was on accident, so I'm adding them back. Please let me know if I'm wrong. Thanks!

@lukeheath That was intentional actually! I initially copied over the labels from the original request, but @noahtalerman clarified we don't need to do that (leaving it up to CS to decide whether to add labels to user stories).

[lukeheath]

Got it, thanks! Removed the labels.

[lukeheath]

@sharon-fdm This story is needed for next sprint. If we need to do some research in order to estimate, we should create a timebox issue (maybe as a sub-task of this story) and bring the timebox into the current release board with an estimate of 2. That way, it's clear to everyone where the status of the research is and when it's being done this sprint. Let me know if you have any questions. Thanks!

[sharon-fdm]

@lucasmrod, I am moving this to our board temporarily for the time-boxed estimation task. Once done, will be moved back to Draft board until next sprint. (Frontend part is already estimated at 3 points)

cc @lukeheath

[lukeheath]

@sharon-fdm Please use labels instead of adding notes to issue titles. We have an :estimate label you can use to mark that this issue needs to be estimated. Thanks!

[sharon-fdm]

@lukeheath, @noahtalerman, looks like we underestimated the time it will take to specify/design a way to go forward. This will require investing some time in understanding both how to force the disk encryption and how to escrow the key.

We defined 2 PoCs for the above tasks and estimated each with 3 points (1 day each). This means the estimation will not be available as we start the sprint. (A very wild guess is that it's a full sprint for one person on backend and a few FE points)

Assigning a P2 label as agreed with Luke.

cc @lucasmrod

[rachaelshaw]

TODO:

• What does the user need to enter? Can it be either the passphrase or a local user account password? If it has to be the passphrase, then can we customize the copy in the prompt?
• Will people know their passphrase? We can take a good guess that they will know if they have to use it at points other than setup. If they only use it at setup then they might not have it written down anywhere.

[mostlikelee]

@rachaelshaw reminder we need copy for:

• Host details page banner when device is not encrypted
• Host details page banner when encryption key is not escrowed
• end user prompt (initial):
  • title
  • message
  • cancel button text
  • ok button text
• end user prompt (on bad password)
  • same options as above
• end user prompt (on good password, if any)
  • same options as above
• number of retries (if any)

[noahtalerman]

Hey @mostlikelee @xpkoala @rachaelshaw we learned that numa has Kubuntu Linux workstations in addition to Ubuntu and Fedora.

In this user story, let's aim for the passphrase prompt to work for those 3 distros. I updated the user story (issue title and description) to reflect this.

If you run into any gotchas, please let me know if I can be helpful.

[noahtalerman]

(@noahtalerman: pulled this question out of Figma. We want to use GitHub/Slack for questions instead of Figma comments: https://fleetdm.com/handbook/product-design#drafting)

@jacobshandling: @rachaelshaw, I see no tooltip underlines here, where there are tooltips for premium. Is that intentional?

(screenshot from Figma here)

[rachaelshaw]

@jacobshandling forgot to add the underlines for that version of the screen, it should be the same. Will fix the Figma momentarily.

[noahtalerman]

@zayhanlon heads up that the scope of this user story changed. This user story now adds support for disk encryption & key escrow for Ubuntu and Fedora Linux.

We carved out a separate story here for Kubuntu Linux (the 3rd Linux distro numa has). The target for Kubuntu support is 4.61.