Customize LUKS setup on d-i

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Customize LUKS setup on d-i

Marc Fargas
Hi,

As a learning exercise I'm seeing how to best use yubikey-luks package
from within a fresh installation of Debian (that is, from the earliest
possible moment).

I've given a quick read to the Debian Installer Internals [1] page and
the install guide preseed appendix [2] for insight on how to go about
it and so far I have thought of these scenarios:

1. Get yubikey-luks directly to work from the installer to setup a
yubikey and pass the appropiate details to partman to setup the
partitions directly with it.

2. preseed a static LUKS passphrase to the installer. Then after base
system is ready, configure yubikey-luks prior to first reboot.

3. Same as 2. but setup yubikey during first boot with a one time boot
script.

Number three is probably the easiest (and most boring), but I'd would
need the LUKS key to be preseeded, and from the preseed sample [3] it
does not appear that this can be provideed from a seed file.

Question 1: Can the LUKS passphrase be pre-seeded to partman somehow?

If I manage this, then I need to hook some code at the end of the setup
to install the one time boot script. I've read that d-i has hooks, so
that I can drop a script somewhere and it will be run at the appropiate
time from which I could install my script on the target system. So far I
do not see how can I provide such hook scripts. It looks to me I have to
build a custom udeb package to provide it.

Question 2: What'd be the easiest / simplest approach to provide custom
scripts / hook-scripts to d-i?

With those two details, I think both 2 & 3 are feasible. At that point
it'd mostly be a matter of writting the proper script to setup the
yubikey from within the target system without having to really worry
about d-i internals. The next improvement to this would be to NOT use a
preseeded passphrase and instead generate a random passphrase during
install which would be removed at the end after setting up the yubikey.

I guess I'll be able to guess that one with questions 1 & 2 (I'd write a
simple hook before partman to generate the passphrase and seed it before
partman runs). Any tips much appreciated anyway :)

I think number 2. with a temporary random passphrase is the way to go as
it requires the least mangling with the installer by keeping all the
yubikey related stuff constrained to the target system.

Number 1. looks to me that it would not make for a much better scenario
(it would just avoid the need of the temporary passhphrase) at the
expense of mangling a lot more with the installer, needing custom module
for setting up the yubikey and, probably, having to mess a lot with the
yubikey-luks & dependencies packages to have them work withing the d-i
system.

So, any pointers on how to achieve 2., specialy the two questions above,
is much appreciated!

Thanks,
Marc

PS: I am not subscribed to debian-boot, I was about to but there are
lots of mails there! So, please don't forget to include me in the
reply-to :)

[1] https://d-i.debian.org/doc/internals/
[2] https://www.debian.org/releases/buster/amd64/apb.en.html
[3] https://www.debian.org/releases/buster/example-preseed.txt

Reply | Threaded
Open this post in threaded view
|

Re: Customize LUKS setup on d-i

Cyril Brulebois-4
Hi Marc,

Quick and incomplete answers because my time is limited, but hopefully
better than nothing.

Marc Fargas <[hidden email]> (2019-05-26):

> As a learning exercise I'm seeing how to best use yubikey-luks package
> from within a fresh installation of Debian (that is, from the earliest
> possible moment).
>
> I've given a quick read to the Debian Installer Internals [1] page and
> the install guide preseed appendix [2] for insight on how to go about
> it and so far I have thought of these scenarios:
>
> 1. Get yubikey-luks directly to work from the installer to setup a
> yubikey and pass the appropiate details to partman to setup the
> partitions directly with it.
>
> 2. preseed a static LUKS passphrase to the installer. Then after base
> system is ready, configure yubikey-luks prior to first reboot.
>
> 3. Same as 2. but setup yubikey during first boot with a one time boot
> script.
>
> Number three is probably the easiest (and most boring), but I'd would
> need the LUKS key to be preseeded, and from the preseed sample [3] it
> does not appear that this can be provideed from a seed file.
>
> Question 1: Can the LUKS passphrase be pre-seeded to partman somehow?
See there and below:
  https://salsa.debian.org/installer-team/partman-crypto/blob/master/debian/partman-crypto.templates#L344

> If I manage this, then I need to hook some code at the end of the setup
> to install the one time boot script. I've read that d-i has hooks, so
> that I can drop a script somewhere and it will be run at the appropiate
> time from which I could install my script on the target system. So far I
> do not see how can I provide such hook scripts. It looks to me I have to
> build a custom udeb package to provide it.
>
> Question 2: What'd be the easiest / simplest approach to provide custom
> scripts / hook-scripts to d-i?

You could just use either early or late commands (see manual) to do
whatever you want to do, be it creating an extra hook or doing whatever
such a hook would do.

  https://www.debian.org/releases/stable/amd64/apbs05.html#preseed-hooks

> PS: I am not subscribed to debian-boot, I was about to but there are
> lots of mails there! So, please don't forget to include me in the
> reply-to :)

Done.


Cheers,
--
Cyril Brulebois ([hidden email])            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Customize LUKS setup on d-i

Marc Fargas
Hi,

Quoting Cyril Brulebois (2019-05-27 00:34:00)

> Hi Marc,
>
> Quick and incomplete answers because my time is limited, but hopefully
> better than nothing.
>
> Marc Fargas <[hidden email]> (2019-05-26):
> > Question 1: Can the LUKS passphrase be pre-seeded to partman somehow?
>
> See there and below:
>   https://salsa.debian.org/installer-team/partman-crypto/blob/master/debian/partman-crypto.templates#L344
>
> > Question 2: What'd be the easiest / simplest approach to provide custom
> > scripts / hook-scripts to d-i?
>
> You could just use either early or late commands (see manual) to do
> whatever you want to do, be it creating an extra hook or doing whatever
> such a hook would do.
>
>   https://www.debian.org/releases/stable/amd64/apbs05.html#preseed-hooks

Thanks for the tips! :)

Marc