I need to enforce a strong custom password policy for LUKS FDE on Ubuntu 22.
I have successfully enforced it on the user account level by modifying /etc/pam.d/common-password. But the restrictions in this file do not get applied when changing a LUKS password via cryptsetup. cryptsetup seems to completely ignore this file, and I cannot find any information about applying custom password requirements to LUKS specifically.
Is there a way I can achieve this? This is probably a niche question but it is a hard requirement for my organization.
EDIT: Modifying /etc/security/pwquality.conf does not seem to work either, at least not on its own -- it does check for pw quality when changing the root password, but not for the cryptsetup commands specifically, when changing a LUKS keyslot pw.
In some of the docs I see this:
--force-password
Do not use password quality checking for new LUKS passwords.
This option applies only to luksFormat, luksAddKey and
luksChangeKey and is ignored if cryptsetup is built without
password quality checking support.
For more info about password quality check, see the manual page
for pwquality.conf(5) and passwdqc.conf(5).
This is interesting. The implication here is that Ubuntu's cryptsetup has been built without "password quality checking support."
So I guess maybe the question is, is there a way to enable password quality check in cryptsetup, by altering some kind of config or running a command? Or is this parameter hard-coded into Ubuntu's cryptsetup implementation, and unable to be modified?
