fai and cryptsetup

Michael Tautschnig mt at debian.org
Mon Oct 4 18:44:58 CEST 2010 

Hi Brian,

> Patrick Schoenfeld <patrick.schoenfeld at googlemail.com> 2010-09-26 13:04:
> > Hi,
> > 
> > On Sun, Sep 26, 2010 at 01:00:46AM +0200, Michael Tautschnig wrote:
> > > Indeed, it was easy :-) - as of 4.0~beta2+experimental17 you should be able to
> > > use
> > > 
> > > luks:"Your passphrase" / ...
> > > 
> > > instead of just "luks" to get a device encrypted with the passphrase of your
> > > choice. The crypttab then has "none" for the keyfile name, which should make it
> > > ask you for a passphrase at bootup. Big fat WARNING: this is untested, but
> > > testing would be much appreciated :-)
> > 
> > it seems that the implementation is wrong. I can see from the log that
> > it uses the passphrase to generate a key file. That is not right.
> > Unfortunately I see the dillemma. You either have to specify a keyfile
> > to luksFormat or enter the passphrase on generation, which will not work
> > without using expect or something.
> > 
> > My suggestion:
> > - Use the keyfile to init the device
> > - After that: Add the passphrase via cryptsetup luksAddKey
> > - Remove the slot with the keyfile from luks
> > - Generate the crypttab in the way you've described
> > 
> > I know its kind of ugly but probably the only way to go without
> > expect'ing the input of luksFormat.
> > 
> > Regards,
> > Patrick
> 
> Late to the party...
> 
> One other thing I had done a while ago is to randomly generate the
> passphrase (via pwgen) and email it to the "root user" along with the
> set of commands necessary for them to change it.  Obviously who the
> "root user" is would have to be set somewhere and the NFSROOT built with
> that support.
>

I guess this is best achieved via scripts and/or hooks; I'd prefer not to build
this feature into setup-storage (but then again I'm not sure you had actually
been suggesting this).

> I'd also left the key file there rather than removing it.  Somewhat as a
> fallback in case the passphrase was forgotten.  I could see this being
> nice to have as an switch option (eg: lukskeyfile:generate+leave).
> 

Same here: Please go for scripts/hooks instead. Why so? Well, if we leave a
keyfile around but access is possible using a passphrase the FAI user might
forget about that extra keyfile; if anybody gets hold of that keyfile, there's a
security leak, which is pretty hard to spot. Instead, adding a hook or script
should be pretty easy, it could just pick the passphrase from the disk_config
file and add a keyfile which is put wherever the user whishes to see it (the
keyfiles generated by setup-storage are left behind in /tmp/fai). Well, and
there's the hope that the added pain of adding an extra hook/script makes the
admin not forget about the extra keyfile.

Best,
Michael


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20101004/ce9d9927/attachment.bin

More information about the linux-fai mailing list