Bug 461700

Summary: allow users to set global passphrase when creating encrypted devices
Product: Red Hat Enterprise Linux 5 Reporter: David Lehman <dlehman>
Component: anacondaAssignee: David Lehman <dlehman>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: atodorov, borgan
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:36:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lehman 2008-09-09 23:42:36 UTC 
Description of problem:
We generally want to encourage users to have one good passphrase for all of the encrypted block devices in a given machine. The most obvious way to enable users to take this intelligent approach is to provide a mechanism through which they can establish a global passphrase during device creation (partitioning).

Version-Release number of selected component (if applicable):
anaconda-11.1.2.120-2.i386.rpm

We have done this already in rawhide (anaconda-11.4.1.29-1), and it is working well so far.
Comment 1 David Lehman 2008-09-15 23:47:34 UTC 
I have taken this a step further in rawhide.

The next build of anaconda in rawhide, which should end up in the F10-Beta, will contain the following changes. 

1) During partitioning, users are not prompted for a passphrase for each newly encrypted device -- instead, there is one prompt after partitioning. We prompt for one passphrase, which gets used for all the devices they've just specified should be encrypted.

2) If there are preexisting encrypted devices for which the user has provided a correct passphrase, we also show a checkbox. If the checkbox is checked, we will add the newly established passphrase to an available slot in each of the preexisting devices. The goal of this is to have one passphrase that provides access to all of the encrypted devices in a system, not just the new ones. It is optional, but active by default.

3) Users who want to assign different passphrases to different devices can do so using kickstart.

I am proposing that we backport this new approach to RHEL5.3.
Comment 2 RHEL Program Management 2008-09-16 00:11:51 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 David Lehman 2008-09-19 15:40:47 UTC 
Fixed in anaconda-11.1.2.127-1.
Comment 7 Alexander Todorov 2008-09-30 11:28:31 UTC 
Dave,
is the behavior from comment #1 documented somewhere?
Comment 8 David Lehman 2008-09-30 14:16:27 UTC 
It is documented here:

http://fedoraproject.org/wiki/Docs/Drafts/DiskEncryptionUserGuide#Creating_Encrypted_Block_Devices_in_Anaconda

I am trying to get this document into the RHEL5 documentation set in time for 5.3, as well as into Fedora in time for F10.
Comment 10 errata-xmlrpc 2009-01-20 21:36:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0164.html