fai and cryptsetup

Michael Tautschnig mt at debian.org
Tue Oct 5 07:54:17 CEST 2010


[...]

> > > 
> > > Late to the party...
> > > 
> > > One other thing I had done a while ago is to randomly generate the
> > > passphrase (via pwgen) and email it to the "root user" along with the
> > > set of commands necessary for them to change it.  Obviously who the
> > > "root user" is would have to be set somewhere and the NFSROOT built with
> > > that support.
> > >
> > 
> > I guess this is best achieved via scripts and/or hooks; I'd prefer not to build
> > this feature into setup-storage (but then again I'm not sure you had actually
> > been suggesting this).
> > 
> > > I'd also left the key file there rather than removing it.  Somewhat as a
> > > fallback in case the passphrase was forgotten.  I could see this being
> > > nice to have as an switch option (eg: lukskeyfile:generate+leave).
> > > 
> > 
> > Same here: Please go for scripts/hooks instead. Why so? Well, if we leave a
> > keyfile around but access is possible using a passphrase the FAI user might
> > forget about that extra keyfile; if anybody gets hold of that keyfile, there's a
> > security leak, which is pretty hard to spot. Instead, adding a hook or script
> > should be pretty easy, it could just pick the passphrase from the disk_config
> > file and add a keyfile which is put wherever the user whishes to see it (the
> > keyfiles generated by setup-storage are left behind in /tmp/fai). Well, and
> > there's the hope that the added pain of adding an extra hook/script makes the
> > admin not forget about the extra keyfile.
> > 
> > Best,
> > Michael
> 
> Agreed, just offering some other options for people to consider when
> setting this up.
> 

I think it would great if you could share some of your scripts/hooks, if you set
up such stuff. The FAI wiki would probably be the best place to do this,
together with a short notification on this list.

Thanks a lot,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20101005/61e945de/attachment.bin 


More information about the linux-fai mailing list