Hi Marc, Quick and incomplete answers because my time is limited, but hopefully better than nothing. Marc Fargas <telenieko@telenieko.com> (2019-05-26): > As a learning exercise I'm seeing how to best use yubikey-luks package > from within a fresh installation of Debian (that is, from the earliest > possible moment). > > I've given a quick read to the Debian Installer Internals [1] page and > the install guide preseed appendix [2] for insight on how to go about > it and so far I have thought of these scenarios: > > 1. Get yubikey-luks directly to work from the installer to setup a > yubikey and pass the appropiate details to partman to setup the > partitions directly with it. > > 2. preseed a static LUKS passphrase to the installer. Then after base > system is ready, configure yubikey-luks prior to first reboot. > > 3. Same as 2. but setup yubikey during first boot with a one time boot > script. > > Number three is probably the easiest (and most boring), but I'd would > need the LUKS key to be preseeded, and from the preseed sample [3] it > does not appear that this can be provideed from a seed file. > > Question 1: Can the LUKS passphrase be pre-seeded to partman somehow? See there and below: https://salsa.debian.org/installer-team/partman-crypto/blob/master/debian/partman-crypto.templates#L344 > If I manage this, then I need to hook some code at the end of the setup > to install the one time boot script. I've read that d-i has hooks, so > that I can drop a script somewhere and it will be run at the appropiate > time from which I could install my script on the target system. So far I > do not see how can I provide such hook scripts. It looks to me I have to > build a custom udeb package to provide it. > > Question 2: What'd be the easiest / simplest approach to provide custom > scripts / hook-scripts to d-i? You could just use either early or late commands (see manual) to do whatever you want to do, be it creating an extra hook or doing whatever such a hook would do. https://www.debian.org/releases/stable/amd64/apbs05.html#preseed-hooks > PS: I am not subscribed to debian-boot, I was about to but there are > lots of mails there! So, please don't forget to include me in the > reply-to :) Done. Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature