[...] > > > > > > Late to the party... > > > > > > One other thing I had done a while ago is to randomly generate the > > > passphrase (via pwgen) and email it to the "root user" along with the > > > set of commands necessary for them to change it. Obviously who the > > > "root user" is would have to be set somewhere and the NFSROOT built with > > > that support. > > > > > > > I guess this is best achieved via scripts and/or hooks; I'd prefer not to > > build > > this feature into setup-storage (but then again I'm not sure you had > > actually > > been suggesting this). > > > > > I'd also left the key file there rather than removing it. Somewhat as a > > > fallback in case the passphrase was forgotten. I could see this being > > > nice to have as an switch option (eg: lukskeyfile:generate+leave). > > > > > > > Same here: Please go for scripts/hooks instead. Why so? Well, if we leave a > > keyfile around but access is possible using a passphrase the FAI user might > > forget about that extra keyfile; if anybody gets hold of that keyfile, > > there's a > > security leak, which is pretty hard to spot. Instead, adding a hook or > > script > > should be pretty easy, it could just pick the passphrase from the > > disk_config > > file and add a keyfile which is put wherever the user whishes to see it (the > > keyfiles generated by setup-storage are left behind in /tmp/fai). Well, and > > there's the hope that the added pain of adding an extra hook/script makes > > the > > admin not forget about the extra keyfile. > > > > Best, > > Michael > > Agreed, just offering some other options for people to consider when > setting this up. >
I think it would great if you could share some of your scripts/hooks, if you set up such stuff. The FAI wiki would probably be the best place to do this, together with a short notification on this list. Thanks a lot, Michael
pgp3FwIjICRzX.pgp
Description: PGP signature
