Kubuntu: disk encryption & key escrow (LUKS)

[mostlikelee]

Goal

User story
As an IT admin,
I want to encrypt my Kubuntu Linux workstations and escrow the key to Fleet
so that my team can get access to encrypted data w/o the local password when an employee who used Linux leaves the company.

Key result

Deliver customer promises

Original request

• 19594

Context

• Product designer: @rachaelshaw

Changes

Product

See the following user story for UI, CLI, API, YAML, fleetd, activity, permissions, and paid tiers changes: https://github.com/fleetdm/fleet/issues/22074

• [ ] Feature guide changes: TODO
• [ ] Other reference documentation changes: TODO
• [ ] Once shipped, requester has been notified

Engineering

• [ ] Database schema migrations: I do not think there will be an additional DB fields. Engineer to approve.
• [x] Load testing: Not needed.

Scope:

• support launching Fleet Desktop systray
• support kdialog as a LUKS passphrase GUI

Fleet desktop does not currently display in kubuntu. If kubuntu is detected, append XDG_CURRENT_DESKTOP=Unity as a parameter to the fleet desktop launcher in fleet: https://github.com/fleetdm/fleet/blob/cab2426bf4494925e1eb8b01b5f53f61be77827b/orbit/pkg/execuser/execuser_linux.go#L62

Kubuntu does not include zenity by default. Use kdialog instead.

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

• Test supported OSes for this feature: Ubuntu, kubuntu, Fedora
• Test feature does not appear on other Fleet supported Linux OSes

Testing notes

• @noahtalerman: customer-numa has Ubuntu Linux 20, 22, and 24 workstations. They also have Fedora and Kubuntu Linux workstations.
  • TODO: @noahtalerman: What versions of Fedora and Kubuntu?

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[iansltx]

Acceptance criteria includes versions down to 20.04.

[sharon-fdm]

@lukeheath, @noahtalerman, per my understanding this is not blocking the feature for 4.60.0. Will be aiming for 4.61.0 TMWYT

[noahtalerman]

Will be aiming for 4.61.0

@sharon-fdm sounds good. I updated the issue description to match our user story format. FYI @mostlikelee

Sharon, there are these TODOs in the "Engineering" section. Can you please take these?

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

[iansltx]

FWIW the current expectation is that this will be 99% agent, 1% FE (copy changes), 0% BE.