[Fai-commit] r6405 - in trunk: lib/setup-storage man
Michael Tautschnig
mt at alioth.debian.org
Fri Apr 15 12:58:43 UTC 2011
Author: mt
Date: 2011-04-15 12:58:38 +0000 (Fri, 15 Apr 2011)
New Revision: 6405
Modified:
trunk/lib/setup-storage/Commands.pm
trunk/lib/setup-storage/Parser.pm
trunk/man/setup-storage.8
Log:
setup-storage: Partition pseudo-type luks:"<pass>" for LUKS device with user-defined passphrase.
Thanks: Patrick Schoenfeld for suggesting this and extensive testing.
* setup-storage/{Parser,Commands}.pm: Added partition pseudo-type
luks:"<pass>" to create LUKS devices with user-defined passphrase (thanks
Patrick Schoenfeld for suggesting this and extensive testing).
* setup-storage.8: Document luks:"<pass>" and the need for having busybox
installed.
Modified: trunk/lib/setup-storage/Commands.pm
===================================================================
--- trunk/lib/setup-storage/Commands.pm 2011-04-15 12:49:28 UTC (rev 6404)
+++ trunk/lib/setup-storage/Commands.pm 2011-04-15 12:58:38 UTC (rev 6405)
@@ -232,7 +232,7 @@
$pre_dep = "random_init_$real_dev";
}
- if ($mode eq "luks") {
+ if ($mode =~ /^luks(:"([^"]+)")?$/) {
my $keyfile = "$ENV{LOGDIR}/$enc_dev_short_name";
# generate a key for encryption
@@ -247,9 +247,23 @@
"cryptsetup luksOpen $real_dev $enc_dev_short_name --key-file $keyfile",
"crypt_format_$real_dev", "exist_$enc_dev_name" );
+ if (defined($1)) {
+ my $passphrase = $2;
+
+ # add user-defined key
+ &FAI::push_command(
+ "yes '$passphrase' | cryptsetup luksAddKey --key-file $keyfile $real_dev",
+ "exist_$enc_dev_name", "newkey_$enc_dev_name");
+ # remove previous key
+ &FAI::push_command(
+ "yes '$passphrase' | cryptsetup luksRemoveKey $real_dev $keyfile",
+ "newkey_$enc_dev_name", "removed_key_$enc_dev_name");
+
+ $keyfile = "none";
+ }
+
# add entries to crypttab
push @FAI::crypttab, "$enc_dev_short_name\t$real_dev\t$keyfile\tluks";
-
} elsif ($mode eq "tmp" || $mode eq "swap") {
&FAI::push_command(
"cryptsetup --key-file=/dev/urandom create $enc_dev_short_name $real_dev",
Modified: trunk/lib/setup-storage/Parser.pm
===================================================================
--- trunk/lib/setup-storage/Parser.pm 2011-04-15 12:49:28 UTC (rev 6404)
+++ trunk/lib/setup-storage/Parser.pm 2011-04-15 12:58:38 UTC (rev 6405)
@@ -661,7 +661,7 @@
$FAI::partition_pointer_dev_name = "/dev/md$vol_id";
}
mountpoint devices filesystem mount_options mdcreateopts
- | /^(luks|tmp|swap)\s+/
+ | /^(luks|luks:"[^"]+"|tmp|swap)\s+/
{
($FAI::device eq "CRYPT") or
die "Encrypted device spec $1 invalid in context $FAI::device\n";
Modified: trunk/man/setup-storage.8
===================================================================
--- trunk/man/setup-storage.8 2011-04-15 12:49:28 UTC (rev 6404)
+++ trunk/man/setup-storage.8 2011-04-15 12:58:38 UTC (rev 6405)
@@ -316,8 +316,12 @@
.br
| luks
.br
- /* encrypted partition using LUKS */
+ /* encrypted partition using LUKS and auto-generate a keyfile */
.br
+ | luks:"[^"]+"
+.br
+ /* encrypted partition using LUKS and use quoted string as passphrase */
+.br
| tmp
.br
/* encrypted partition for /tmp usage, will be
@@ -590,9 +594,11 @@
reasons why a system may fail to boot.
.IP \(bu
Crypto support requires some site-specific changes: If you use cryptsetup
-stanza, a crypttab file and key files for all luks volumes will be created. The
-key files are left in /tmp/fai; you will want to copy these to some removable
-media.
+stanza, a crypttab file and key files for all luks volumes will be created
+(unless you used the passphrase option). The key files are left in /tmp/fai; you
+will want to copy these to some removable media. To make encrypted root devices
+actually usable, you need to add busybox (and initramfs-tools) to your package
+config.
.SH SEE ALSO
This program is part of FAI (Fully Automatic Installation).
The FAI homepage is http://fai-project.org.
More information about the Fai-commit
mailing list