Re: Customize LUKS setup on d-i

To: Marc Fargas <telenieko@telenieko.com>
Cc: debian-boot@lists.debian.org
Subject: Re: Customize LUKS setup on d-i
From: Cyril Brulebois <kibi@debian.org>
Date: Mon, 27 May 2019 00:34:00 +0200
Message-id: <[🔎] 20190526223400.zi6kpw625e5givft@mraw.org>
In-reply-to: <[🔎] 155889851787.31683.6687802094270401904@Marcbook.metanube.com>
References: <[🔎] 155889851787.31683.6687802094270401904@Marcbook.metanube.com>

Hi Marc,

Quick and incomplete answers because my time is limited, but hopefully
better than nothing.

Marc Fargas <telenieko@telenieko.com> (2019-05-26):
> As a learning exercise I'm seeing how to best use yubikey-luks package
> from within a fresh installation of Debian (that is, from the earliest
> possible moment).
> 
> I've given a quick read to the Debian Installer Internals [1] page and
> the install guide preseed appendix [2] for insight on how to go about
> it and so far I have thought of these scenarios:
> 
> 1. Get yubikey-luks directly to work from the installer to setup a
> yubikey and pass the appropiate details to partman to setup the
> partitions directly with it.
> 
> 2. preseed a static LUKS passphrase to the installer. Then after base
> system is ready, configure yubikey-luks prior to first reboot.
> 
> 3. Same as 2. but setup yubikey during first boot with a one time boot
> script.
> 
> Number three is probably the easiest (and most boring), but I'd would
> need the LUKS key to be preseeded, and from the preseed sample [3] it
> does not appear that this can be provideed from a seed file.
> 
> Question 1: Can the LUKS passphrase be pre-seeded to partman somehow?

See there and below:
  https://salsa.debian.org/installer-team/partman-crypto/blob/master/debian/partman-crypto.templates#L344

> If I manage this, then I need to hook some code at the end of the setup
> to install the one time boot script. I've read that d-i has hooks, so
> that I can drop a script somewhere and it will be run at the appropiate
> time from which I could install my script on the target system. So far I
> do not see how can I provide such hook scripts. It looks to me I have to
> build a custom udeb package to provide it.
> 
> Question 2: What'd be the easiest / simplest approach to provide custom
> scripts / hook-scripts to d-i?

You could just use either early or late commands (see manual) to do
whatever you want to do, be it creating an extra hook or doing whatever
such a hook would do.

  https://www.debian.org/releases/stable/amd64/apbs05.html#preseed-hooks

> PS: I am not subscribed to debian-boot, I was about to but there are
> lots of mails there! So, please don't forget to include me in the
> reply-to :)

Done.


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Customize LUKS setup on d-i
  - From: Marc Fargas <telenieko@telenieko.com>

References:
- Customize LUKS setup on d-i
  - From: Marc Fargas <telenieko@telenieko.com>

Prev by Date: Bug#929476: Debian 9 installation.
Next by Date: Bug#929616: debian-installer: Missing kernel module required by cryptsetup
Previous by thread: Customize LUKS setup on d-i
Next by thread: Re: Customize LUKS setup on d-i
Index(es):
- Date
- Thread