fai and cryptsetup

Michael Tautschnig mt at debian.org
Sat Sep 25 22:29:38 CEST 2010 

Hi Patrick,

Thanks a lot for reporting back so quickly!

> On Sat, Sep 25, 2010 at 01:29:47PM +0200, Michael Tautschnig wrote:
> > Thanks for pointing out the typo, it made debugging much easier; I'll also try
> > to make the error message a bit more helpful. But, well, debugging revealed a
> > problem in your config:
> 
> just as a remark: The installation worked this way. However with the
> current support in setup-storage a fai-installed system will NOT be able
> to boot from a crypto-root-filesystem.
> 
> 1. The keyfile is written to /tmp/fai (or /var/log/fai/localhost/last/
> on the resulting installed machine) where it will never be available
> during the boot.
> 
> 2. The crypttab is written with the /tmp/fai filename which gets invalid
> as soon as the system is rebooted.
> 

This is intentional and documented in the setup-storage man page, last stanza of
"CAVEATS" (at the very end of the man page). The simple reason is that it is
hard to guess where the keyfile should be put.

> 3. Booting from a cryptoroot with a keyfile seems to be problematic
> anyway. At least I haven't yet managed to get a working installation
> with it (and don't want to invest much time in it as its not the wanted
> goal anyway).
> 

As far as I understood, the idea is to put a keyfile on removable media -
doesn't that work as expected?

> What I'll now try to get a crypted fai installation bootable:
> Add a script to add a new luksKey, a default passphrase and change the
> crypttab so that it does not reference a keyfile. Then trigger initramfs
> recreation.
> 
> Any other options (with setup-storage support itself, maybe?)
> 

If you can describe a workflow that is fully non-interactive we could definitely
improve setup-storage such as to cater for that. I have never used cryptsetup
myself, hence the questions. But ideas are most welcome!

For now, however, I'd suggest to add a hook partition.SOMECLASS.source that
- changes the encryption to use a passphrase
- edits the crypttab (which was generated by setup-storage)
- moves crypttab to a proper location
To ensure the initramfs rebuild, you might need to add code to some script
executed at the end, depending on whether update-initramfs is called during
installation anyhow or not.

Hope this helps,
Michael



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20100925/0ffad7db/attachment.bin

More information about the linux-fai mailing list