setup-storage does not create crypttab

Michael Tautschnig mt at debian.org
Wed Sep 23 14:54:31 CEST 2009 

[...]

> >
> > You can download/install them by adding the experimental/koeln repository as
> > described on the wiki page:
> >
> > http://faiwiki.debian.net/index.php/Main_Page#getting_FAI
> >
> > Best,
> > Michael
> >   
> I tried today with 3.2.23beta4, and it did not work :-(
> 

Hmm, that version number doesn't really look like any of the experimental ones
(should have +experimentalX in there), but anyway your results look kind of fine
to me :-)

> What I see is a crypttab which is in /tmp/fai/crypttab during install
> and later saved to the log folder, but this one does not get copied to
> the target. Moreover, this crypttab refers to a keyfile in /tmp, like this:
> 
> crypt_dev_vg1_tmp   /dev/mapper/vg1-tmp   /tmp/fai/crypt_dev_vg1_tmp   luks
> 
> But what I want is
> 
> crypt_dev_vg1_tmp   /dev/mapper/vg1-tmp   /dev/urandom   tmp
> 
> That's what setup-storage is supposed to do, right? (At least if using
> the :randinit option)
> 

- copying crypttab (just like fstab) would mean copying it in task_extrbase,
  it's not really setup-storage that takes care of this. We should probably just
  add this code to task_extrbase, but meanwhile I'd ask you to do it in some
  hand-made script. I think that shouldn't be a show-stopper.
- The keyfile is stored in /tmp because in my opinion the user should decide how
  to handle decryption in the installed system; using /dev/urandom might be fine
  for /tmp or swap, but in general you will need to access a fixed key. One
  quite frequent setup is moving key files to a USB device.
- :randinit performs random initialization of the device _once_. Maybe the man
  page is not quite clear about that fact, sorry.

That said, I'd happily take suggestions how all the above could be improved,
because apparently it did not match your expectations. I'm not yet using
encryption myself and therefore rely on input from people using this feature.

> Additionally, I forgot to mention in my first post that I need to load
> the device mapper modules including dm_crypt manually using a
> partition.DEFAULT hook. Without that, no LVM (even without encryption)
> will work, complaining about lack of device-mapper support.
> 

If your config space is based on the simple example, you might want to merge
some changes from current simple examples: class/20-hwdetect.source has all the
stuff you need :-)

Thanks a lot for taking the time to test all this and report back!

Best,
Michael


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20090923/388f74cd/attachment.bin

More information about the linux-fai mailing list