This is a notification that we have published a high severity security fix to IncusOS as build version 202603142010.
IncusOS users, particularly those running IncusOS in environments where an attacker could gain physical access to the server without being easily detected, should immediately apply the new stable update.
The vulnerability allows for data to be easily extracted even from a fully shutdown IncusOS machine, without needing access to the recovery key or any participation by the machine’s owner.
Because the attack allows for the extraction of the persistent encryption key, any system that may have been attacked in such a way will need to be fully reinstalled in order to prevent further attacks.
IncusOS users running in a trusted physical environment or who are able to confirm that all IncusOS downtime was scheduled and expected are still secure and don’t need to do anything other than apply the new update.
All technical details can be found here: LUKS encryption bypass due to insufficient TPM policy · Advisory · lxc/incus-os · GitHub