I have a CentOS 6.5 environment that boots up servers using Kickstart. One of the requirements of our Kickstart is that the partitions are encrypted. Since Anaconda can only take plain text passwords for LUKS encrypted partitions, what's the best way to secure the Kickstart config files? We are currently serving them over HTTP and soon to be HTTPS.
Asked
Active
Viewed 2,916 times
3 Answers
2
What we do is kickstart with a dummy password and then change it after installation.
chutz
- 7,569
- 1
- 28
- 57
1
If you don't specify a "--passphrase" in your RHEL 6 kickstart config, anaconda will prompt you for a password at installation time. That would help you to avoid storing LUKS passphrases in your kickstart config files entirely.
This doesn't seem to work with RHEL 7; instead the installation fails entirely.
Tim Roudebush
- 11
- 1
-
It looks like this was fixed for rhel7: https://bugzilla.redhat.com/show_bug.cgi?id=1215689 – aseq Jul 12 '16 at 20:17
-
Also see: https://rhn.redhat.com/errata/RHBA-2015-2284.html – aseq Jul 12 '16 at 20:38
-
And last but not least: https://bugzilla.redhat.com/show_bug.cgi?id=1255679 – aseq Jul 12 '16 at 20:56
1
Maybe generate them on the system and store them on the installed system, to be retrieved from the server (via an installed authorized_key)? You just need to avoid rebooting before the key is retrieved.
allo
- 1,524
- 1
- 19
- 35