Michael Tautschnig <[email protected]> 2010-10-04 18:44: > Hi Brian, > > > Patrick Schoenfeld <[email protected]> 2010-09-26 13:04: > > > Hi, > > > > > > On Sun, Sep 26, 2010 at 01:00:46AM +0200, Michael Tautschnig wrote: > > > > Indeed, it was easy :-) - as of 4.0~beta2+experimental17 you should be > > > > able to > > > > use > > > > > > > > luks:"Your passphrase" / ... > > > > > > > > instead of just "luks" to get a device encrypted with the passphrase of > > > > your > > > > choice. The crypttab then has "none" for the keyfile name, which should > > > > make it > > > > ask you for a passphrase at bootup. Big fat WARNING: this is untested, > > > > but > > > > testing would be much appreciated :-) > > > > > > it seems that the implementation is wrong. I can see from the log that > > > it uses the passphrase to generate a key file. That is not right. > > > Unfortunately I see the dillemma. You either have to specify a keyfile > > > to luksFormat or enter the passphrase on generation, which will not work > > > without using expect or something. > > > > > > My suggestion: > > > - Use the keyfile to init the device > > > - After that: Add the passphrase via cryptsetup luksAddKey > > > - Remove the slot with the keyfile from luks > > > - Generate the crypttab in the way you've described > > > > > > I know its kind of ugly but probably the only way to go without > > > expect'ing the input of luksFormat. > > > > > > Regards, > > > Patrick > > > > Late to the party... > > > > One other thing I had done a while ago is to randomly generate the > > passphrase (via pwgen) and email it to the "root user" along with the > > set of commands necessary for them to change it. Obviously who the > > "root user" is would have to be set somewhere and the NFSROOT built with > > that support. > > > > I guess this is best achieved via scripts and/or hooks; I'd prefer not to > build > this feature into setup-storage (but then again I'm not sure you had actually > been suggesting this). > > > I'd also left the key file there rather than removing it. Somewhat as a > > fallback in case the passphrase was forgotten. I could see this being > > nice to have as an switch option (eg: lukskeyfile:generate+leave). > > > > Same here: Please go for scripts/hooks instead. Why so? Well, if we leave a > keyfile around but access is possible using a passphrase the FAI user might > forget about that extra keyfile; if anybody gets hold of that keyfile, > there's a > security leak, which is pretty hard to spot. Instead, adding a hook or script > should be pretty easy, it could just pick the passphrase from the disk_config > file and add a keyfile which is put wherever the user whishes to see it (the > keyfiles generated by setup-storage are left behind in /tmp/fai). Well, and > there's the hope that the added pain of adding an extra hook/script makes the > admin not forget about the extra keyfile. > > Best, > Michael
Agreed, just offering some other options for people to consider when setting this up. Cheers, Brian
signature.asc
Description: Digital signature
