fai and cryptsetup

Brian Kroth bpkroth at gmail.com
Fri Oct 1 20:02:57 CEST 2010


Patrick Schoenfeld <patrick.schoenfeld at googlemail.com> 2010-09-26 13:04:
> Hi,
> 
> On Sun, Sep 26, 2010 at 01:00:46AM +0200, Michael Tautschnig wrote:
> > Indeed, it was easy :-) - as of 4.0~beta2+experimental17 you should be able to
> > use
> > 
> > luks:"Your passphrase" / ...
> > 
> > instead of just "luks" to get a device encrypted with the passphrase of your
> > choice. The crypttab then has "none" for the keyfile name, which should make it
> > ask you for a passphrase at bootup. Big fat WARNING: this is untested, but
> > testing would be much appreciated :-)
> 
> it seems that the implementation is wrong. I can see from the log that
> it uses the passphrase to generate a key file. That is not right.
> Unfortunately I see the dillemma. You either have to specify a keyfile
> to luksFormat or enter the passphrase on generation, which will not work
> without using expect or something.
> 
> My suggestion:
> - Use the keyfile to init the device
> - After that: Add the passphrase via cryptsetup luksAddKey
> - Remove the slot with the keyfile from luks
> - Generate the crypttab in the way you've described
> 
> I know its kind of ugly but probably the only way to go without
> expect'ing the input of luksFormat.
> 
> Regards,
> Patrick

Late to the party...

One other thing I had done a while ago is to randomly generate the
passphrase (via pwgen) and email it to the "root user" along with the
set of commands necessary for them to change it.  Obviously who the
"root user" is would have to be set somewhere and the NFSROOT built with
that support.

I'd also left the key file there rather than removing it.  Somewhat as a
fallback in case the passphrase was forgotten.  I could see this being
nice to have as an switch option (eg: lukskeyfile:generate+leave).

Brian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20101001/47bdf81b/attachment.bin 


More information about the linux-fai mailing list