[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Customize LUKS setup on d-i


As a learning exercise I'm seeing how to best use yubikey-luks package
from within a fresh installation of Debian (that is, from the earliest
possible moment).

I've given a quick read to the Debian Installer Internals [1] page and
the install guide preseed appendix [2] for insight on how to go about
it and so far I have thought of these scenarios:

1. Get yubikey-luks directly to work from the installer to setup a
yubikey and pass the appropiate details to partman to setup the
partitions directly with it.

2. preseed a static LUKS passphrase to the installer. Then after base
system is ready, configure yubikey-luks prior to first reboot.

3. Same as 2. but setup yubikey during first boot with a one time boot

Number three is probably the easiest (and most boring), but I'd would
need the LUKS key to be preseeded, and from the preseed sample [3] it
does not appear that this can be provideed from a seed file.

Question 1: Can the LUKS passphrase be pre-seeded to partman somehow?

If I manage this, then I need to hook some code at the end of the setup
to install the one time boot script. I've read that d-i has hooks, so
that I can drop a script somewhere and it will be run at the appropiate
time from which I could install my script on the target system. So far I
do not see how can I provide such hook scripts. It looks to me I have to
build a custom udeb package to provide it.

Question 2: What'd be the easiest / simplest approach to provide custom
scripts / hook-scripts to d-i?

With those two details, I think both 2 & 3 are feasible. At that point
it'd mostly be a matter of writting the proper script to setup the
yubikey from within the target system without having to really worry
about d-i internals. The next improvement to this would be to NOT use a
preseeded passphrase and instead generate a random passphrase during
install which would be removed at the end after setting up the yubikey.

I guess I'll be able to guess that one with questions 1 & 2 (I'd write a
simple hook before partman to generate the passphrase and seed it before
partman runs). Any tips much appreciated anyway :)

I think number 2. with a temporary random passphrase is the way to go as
it requires the least mangling with the installer by keeping all the
yubikey related stuff constrained to the target system. 

Number 1. looks to me that it would not make for a much better scenario
(it would just avoid the need of the temporary passhphrase) at the
expense of mangling a lot more with the installer, needing custom module
for setting up the yubikey and, probably, having to mess a lot with the
yubikey-luks & dependencies packages to have them work withing the d-i

So, any pointers on how to achieve 2., specialy the two questions above,
is much appreciated!


PS: I am not subscribed to debian-boot, I was about to but there are
lots of mails there! So, please don't forget to include me in the
reply-to :)

[1] https://d-i.debian.org/doc/internals/
[2] https://www.debian.org/releases/buster/amd64/apb.en.html
[3] https://www.debian.org/releases/buster/example-preseed.txt

Reply to: