Page MenuHomeVyOS Platform
Create Task
Maniphest T7726

Encrypting updated image config overwrites existing TPM key
Closed, ResolvedPublicBUG
Actions

Description

Updating system image (via add system image command) copies over the config from the current image with encrypted config.
There is no encryption enabled in the updated image, so enabling the same overwrites the key stored in the TPM. It causes encrypted config load to fail when switching to the previous system image:

Loading the previous image after enabling encryption in the latest image:

[  104.449960] vyos-router[874]: Mounting VyOS Config...done.
[  123.259602] vyos-router[1290]: No key available with this passphrase.
[  123.298193] vyos-router[874]: ERROR: Failed to decrypt config volume.

Loading the previous image after enabling and then disabling encryption in the latest image:

[  133.687194] vyos-router[874]: Mounting VyOS Config...done.
[  138.797179] vyos-router[874]: ERROR: Failed to fetch encryption key from TPM. Encrypted config volume has not been mounted

So the current behaviour is as described above, however it could be that updating system image should fully migrate the existing encryption but not just copying the config contents to the new image. In this case the problem would be that existing encryption is not migrated to the new image

Steps to reproduce:

  1. Enable encryption
  2. Update system image via add system image command
  3. Enable encryption in the updated image
  4. Load previous image

Details

Version
2025.08.13-0020-rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.kudientsov created this task.Aug 16 2025, 11:17 AM
pasik subscribed.Aug 16 2025, 3:31 PM
Unknown Object (User) triaged this task as High priority.Aug 18 2025, 7:35 AM
Unknown Object (User) assigned this task to sarthurdev.Aug 18 2025, 7:40 AM
a.kudientsov updated the task description. (Show Details)Aug 18 2025, 2:57 PM
a.kudientsov updated the task description. (Show Details)Aug 18 2025, 3:05 PM
sarthurdev changed the task status from Open to In progress.Aug 18 2025, 8:03 PM
sarthurdev changed the task status from In progress to Needs testing.Aug 19 2025, 7:24 PM
sarthurdev added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q3).

PR: https://github.com/vyos/vyos-1x/pull/4669

a.kudientsov closed this task as Resolved.Sep 17 2025, 7:40 AM
sarthurdev mentioned this in rVYOSONEX0f1430ff44c9: tpm: T7726: Copy encrypted volume when adding system images.Sep 25 2025, 2:22 PM
sarthurdev mentioned this in rVYOSONEX5865c42e3726: tpm: T7726: Prompt user before clearing TPM key.
sarthurdev mentioned this in rVYOSONEXa080cfae6523: tpm: T7726: Prompt before overwriting existing TPM key.
sarthurdev mentioned this in rVYOSONEX36d9d7068cc0: tpm: T7726: Test TPM key or prompt recovery key.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling.Thu, Nov 13, 12:22 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.