[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Customize LUKS setup on d-i

Hi Marc,

Quick and incomplete answers because my time is limited, but hopefully
better than nothing.

Marc Fargas <telenieko@telenieko.com> (2019-05-26):
> As a learning exercise I'm seeing how to best use yubikey-luks package
> from within a fresh installation of Debian (that is, from the earliest
> possible moment).
> I've given a quick read to the Debian Installer Internals [1] page and
> the install guide preseed appendix [2] for insight on how to go about
> it and so far I have thought of these scenarios:
> 1. Get yubikey-luks directly to work from the installer to setup a
> yubikey and pass the appropiate details to partman to setup the
> partitions directly with it.
> 2. preseed a static LUKS passphrase to the installer. Then after base
> system is ready, configure yubikey-luks prior to first reboot.
> 3. Same as 2. but setup yubikey during first boot with a one time boot
> script.
> Number three is probably the easiest (and most boring), but I'd would
> need the LUKS key to be preseeded, and from the preseed sample [3] it
> does not appear that this can be provideed from a seed file.
> Question 1: Can the LUKS passphrase be pre-seeded to partman somehow?

See there and below:

> If I manage this, then I need to hook some code at the end of the setup
> to install the one time boot script. I've read that d-i has hooks, so
> that I can drop a script somewhere and it will be run at the appropiate
> time from which I could install my script on the target system. So far I
> do not see how can I provide such hook scripts. It looks to me I have to
> build a custom udeb package to provide it.
> Question 2: What'd be the easiest / simplest approach to provide custom
> scripts / hook-scripts to d-i?

You could just use either early or late commands (see manual) to do
whatever you want to do, be it creating an extra hook or doing whatever
such a hook would do.


> PS: I am not subscribed to debian-boot, I was about to but there are
> lots of mails there! So, please don't forget to include me in the
> reply-to :)


Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to: