Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed

To: 530784@bugs.debian.org
Subject: Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed
From: Gabriel Sailer <Gabriel.Sailer@gmx.net>
Date: Thu, 28 May 2009 21:04:33 +0200
Message-id: <[🔎] 4A1EE041.8020505@gmx.net>
Reply-to: Gabriel Sailer <Gabriel.Sailer@gmx.net>, 530784@bugs.debian.org
In-reply-to: <[🔎] 200905272241.51225.elendil@planet.nl>
References: <[🔎] 4A1D9CAF.9020508@gmx.net> <[🔎] 200905272241.51225.elendil@planet.nl>

Many thanks for this Information.
If i rebuild the udeb package and i delete the two "db_fset ..." lines
should the preseeding work for the passphrase?

The background is we have to deliver preinstalled laptops. They must
have crypted partitions (protection of the data when loosing one of
them). After delivering the laptops and before working, the user
_must_ set his own passphrase and _must_ delete the "installation
passphrase".
I haven't found an other solution to use dm-crypt on nearly the full
disk (it is not possible to crypt the partitions after the installation).

respectfully

Gabriel

Frans Pop schrieb:
> severity 530784 wishlist
> retitle 530784 Consider adding support to preseed a dm-crypt passphrase
> thanks
>
> On Wednesday 27 May 2009, Gabriel Sailer wrote:
>   
>> i tried to install about 20 laptops full preseeded with crypted
>> root and swap (and a normal /boot). The installation work but
>> without accepting my preseeded partman-crypto/passphrase (and
>> partman-crypto/passphrase-again).
>>     
>
> Thanks for the additional info.
>
> The problem seems to be in the blockdev-keygen script. This has:
> get_passphrase () {
>         local pass_ok
>
>         pass_ok=0
>         while [ $pass_ok -eq 0 ]; do
>                 templ="partman-crypto/passphrase"
>                 db_set $templ ""
>                 db_fset $templ seen false
>                 db_subst $templ DEVICE "$description"
>                 db_input critical $templ
>
>                 templ="partman-crypto/passphrase-again"
>                 db_set $templ ""
>                 db_fset $templ seen false
>                 db_input critical $templ
>
>                 db_go || return 1
>
> Basically this means that the passphrase gets reset before it is asked. So 
> in the current code preseeding the passphrase is very simply not 
> supported. As the code also unsets the "seen" flag and the priority of 
> the question is critical, the question should always be asked though.
>
> Possibly preseeding of the passphrase was not considered safe enough by 
> the original authors of the code. Possibly also because having the same 
> passphrase for multiple machines would rather defeat the purpose (altough 
> I could see some logic to that in a corporate setting where the main goal 
> is to protect data against outsiders).
>
> Cheers,
> FJP
>
>
>
>

Reply to:

Follow-Ups:
- Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed
  - From: Frans Pop <elendil@planet.nl>

References:
- Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed
  - From: Gabriel Sailer <Gabriel.Sailer@gmx.net>
- Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed
  - From: Frans Pop <elendil@planet.nl>

Prev by Date: installing Lenny on Dell PowerEdge R610
Next by Date: Re: base-installer stops after choosing kernel for no good reason?
Previous by thread: Processed: Re: Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed
Next by thread: Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed
Index(es):
- Date
- Thread