On 25 August 2013 17:54, PHP Nut <[email protected]> wrote: > I'd like to extend the installer's cryptsetup script to allow for: > > 1. Execution of a pre-cryptsetup script, if it exists, placed conveniently > in the root of the installation medium. > 2. User specification of parameters. > > The official installers do not allow this. While we can work around this > manually, that is a laborious chore for every install of every release. > > Where is the installer's cryptsetup script located? > > We need this because: > > 1. Fresh systems lack sufficient, trustworthy entropy - virtual machines > even more so.
There is "polination" work ongoing in Ubuntu to securely provision / add entropy to freshly provisioned machines. At the moment virtual machines / cloud instances are targeted but i hope it will be extended to other machines. > 2. There are valid reasons for cipher changes from default (or just a > reassuring re-specification). Setting aside some of the pointless changes > and baseless paranoia we see on the forums, there is one major reason to do > this: AES-128 is faster (with and without AES-NI) and sufficient to keep the > data private, but certain people are contractually bound to use AES-256 FDE > on all systems used in furtherance of certain contracts. Some of them are > bound to FIPS compliance, others to a list of bullet points lifted from the > spec. > 3. Custom specification of the identity and the hardness parameters of the > KDF are useful. The installer tries to strike a balance, but this balance is > not appropriate in all situations. > 4. Better support of the currently laborious task of setting up two-factor > key derivation from a password and key file. > 5. As a matter of principle, critical security settings should not be hidden > and hard to modify. That doesn't mean that the default installer should make > it easy for unknowledgeable people to break things, or that we must spend > time letting every parameter be tweaked, but it does require at least some > documented exposure intended for modification. > I believe all/most partman-crypto settings can be easily preseeded. If that's not the case bug reports / patches against partman-crypto are very welcome. We strike for highest available / trustworthy crypto settings. Since 12.04.4 LTS or any higher version of Ubuntu, we default to AES-256 & xts-plain64 (choosing xts triggers doubling the keysize both in partman-crypto and cryptsetup by the looks of things, thus actually we might be ending up with AES-1024 i'll verify that). Which is inline with highest & currently recommended security levels. If you still wish to override this highly secure defaults, you can specify key sizes, algorithms, etc. by preceeding partman-crypto/* values in your preseed file. Sample of used values is listed here using http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/partman-crypto/trusty/view/head:/debian/partman-crypto.templates > The pre-cryptsetup script allows the user to solve the problems associated > with entropy and two-factor keying but without having to modify the > installation tree for each image. A post-cryptsetup script along the same > lines would also be useful. > I'm not quite sure what you mean by pre/post-cryptsetup scripts. d-i based installations allow to inject arbitrary scripts execution at multiple points during installation. You can pre-seed following keys: * d-i preseed/early_command * d-i partman/early_command * d-i preseed/late_command Which allow very early execution of any shell commands, just before partitioning, or after installation is done. See upstream debian-installer documentation on how to use those preseed values: https://www.debian.org/releases/stable/i386/apbs05.html.en . > Parameter specification is fairly straightforward. We need a script which > sets a few variables and optionally allows the substitution of a custom > command. > > How might I get started on this? > I'd recommend you to first explore all the available pressed options, as i believe you can achieve/change everything you need using existing facilities. A good interactive way to experience them, is by using d-i in expert installation mode - at ubuntu server image boot choose expert installation mode in the menus. -- Regards, Dimitri. -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
