Bug 508963
| Summary: | [PATCH] Add key escrow options to pykickstart | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Miloslav Trmač <mitr> | ||||||
| Component: | pykickstart | Assignee: | Chris Lumens <clumens> | ||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | rawhide | CC: | clumens | ||||||
| Target Milestone: | --- | Keywords: | FutureFeature | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Enhancement | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-09-10 15:06:43 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 508960, 508967, 510545, 607952 | ||||||||
| Attachments: |
|
||||||||
Thanks for the patch. I'll examine it later. This will of course also require an anaconda patch to do the hard work. Created attachment 351082 [details]
Add --escrowcert and --backuppassphrase
Updated patch, adding the same options to the "raid" and "logvol" commands.
Thanks for the patch. I've added this to the git repo and pushed. |
Created attachment 349973 [details] Add --escrowcert and --backuppassphrase This patch adds key escrow directives to pykickstart, used to store the encryption keys (and optionally create backup passphrases) of encrypted volumes. The options apply to the "autopart" and "part" commands: * --escrowcert=URL_for_X509_certificate If the volume is encrypted, store the encryption key used for the volume in /root/$label-$uuid-escrow of the installed system, encrypting it for the specified certificate. * --backuppassphrase If --escrowcert is specified, and the volume format supports it (LUKS does), add an additional, randomly generated, passphrase to the volume, and store it in /root/$label-$uuid-escrow-backup-passphrase .