Page MenuHomeVyOS Platform
Create Task
Maniphest T7735

Encryption disable prompts for a recovery key even if volume already mounted
Closed, ResolvedPublicBUG
Actions

Description

With non-TPM scenario when trying to disable encryption it prompts to enter the recovery key even though the volume is mounted. According to implementation notes, it is expected that the system disables encryption without asking to enter the key in case volume is mounted.

vyos@vyos:~$ encryption disable 
Enter key:

Steps to reproduce:

  1. Enable encryption with no TPM in place
encryption enable
  1. Disable encryption
encryption disable

Details

Version
2025.08.13-0020-rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.kudientsov created this task.Aug 19 2025, 10:18 AM
sarthurdev changed the task status from Open to In progress.Aug 19 2025, 11:06 AM
sarthurdev triaged this task as Normal priority.
pasik subscribed.Aug 19 2025, 1:22 PM
sarthurdev changed the task status from In progress to Needs testing.Aug 19 2025, 7:23 PM
sarthurdev added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q3).
sarthurdev subscribed.

PR: https://github.com/vyos/vyos-1x/pull/4669

a.pidnebesny subscribed.Sep 15 2025, 1:02 PM

Tested this scenario

vyos@vyos-def:~$ encryption enable
WARNING: VyOS will boot into a default config when encrypted without a TPM
You will need to manually login with default credentials and use "encryption load"
to mount the encrypted volume and use "load /config/config.boot"
Are you sure you want to proceed? [y/N] y
Enter key: 1534138556418564135416543541638431531635153135413
Enter size of encrypted config partition (MB):  (Default: 512) 512
Encrypted config volume has been enabled without TPM
Backup the key in a safe place!
Key: 1534138556418564135416543541638431531635153135413
vyos@vyos-def:~$ encryption disable
Moving existing /config folder to /config.old
Do you want to clear the TPM? This will cause issues if other system images use the key [y/N] y
Encrypted config volume has been disabled

Summary:

work properly as expected without requesting recovery key on mounted.

Viacheslav subscribed.Sep 15 2025, 2:25 PM

@a.kudientsov could you confirm and close the task?

Viacheslav assigned this task to sarthurdev.Sep 24 2025, 11:50 PM
sarthurdev mentioned this in rVYOSONEX645f92140138: tpm: T7735: Only require key/recovery if unmapped.Sep 25 2025, 2:22 PM
sarthurdev closed this task as Resolved.Oct 7 2025, 8:20 PM
sarthurdev moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
sarthurdev moved this task from Need Triage to Completed on the VyOS Rolling board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling.Thu, Nov 13, 12:23 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.