Hi, As a learning exercise I'm seeing how to best use yubikey-luks package from within a fresh installation of Debian (that is, from the earliest possible moment).
I've given a quick read to the Debian Installer Internals [1] page and the install guide preseed appendix [2] for insight on how to go about it and so far I have thought of these scenarios: 1. Get yubikey-luks directly to work from the installer to setup a yubikey and pass the appropiate details to partman to setup the partitions directly with it. 2. preseed a static LUKS passphrase to the installer. Then after base system is ready, configure yubikey-luks prior to first reboot. 3. Same as 2. but setup yubikey during first boot with a one time boot script. Number three is probably the easiest (and most boring), but I'd would need the LUKS key to be preseeded, and from the preseed sample [3] it does not appear that this can be provideed from a seed file. Question 1: Can the LUKS passphrase be pre-seeded to partman somehow? If I manage this, then I need to hook some code at the end of the setup to install the one time boot script. I've read that d-i has hooks, so that I can drop a script somewhere and it will be run at the appropiate time from which I could install my script on the target system. So far I do not see how can I provide such hook scripts. It looks to me I have to build a custom udeb package to provide it. Question 2: What'd be the easiest / simplest approach to provide custom scripts / hook-scripts to d-i? With those two details, I think both 2 & 3 are feasible. At that point it'd mostly be a matter of writting the proper script to setup the yubikey from within the target system without having to really worry about d-i internals. The next improvement to this would be to NOT use a preseeded passphrase and instead generate a random passphrase during install which would be removed at the end after setting up the yubikey. I guess I'll be able to guess that one with questions 1 & 2 (I'd write a simple hook before partman to generate the passphrase and seed it before partman runs). Any tips much appreciated anyway :) I think number 2. with a temporary random passphrase is the way to go as it requires the least mangling with the installer by keeping all the yubikey related stuff constrained to the target system. Number 1. looks to me that it would not make for a much better scenario (it would just avoid the need of the temporary passhphrase) at the expense of mangling a lot more with the installer, needing custom module for setting up the yubikey and, probably, having to mess a lot with the yubikey-luks & dependencies packages to have them work withing the d-i system. So, any pointers on how to achieve 2., specialy the two questions above, is much appreciated! Thanks, Marc PS: I am not subscribed to debian-boot, I was about to but there are lots of mails there! So, please don't forget to include me in the reply-to :) [1] https://d-i.debian.org/doc/internals/ [2] https://www.debian.org/releases/buster/amd64/apb.en.html [3] https://www.debian.org/releases/buster/example-preseed.txt
