Bug 508963

Summary: [PATCH] Add key escrow options to pykickstart
Product: [Fedora] Fedora Reporter: Miloslav Trmač <mitr>
Component: pykickstartAssignee: Chris Lumens <clumens>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: clumens
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 11:06:43 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 508960, 508967, 510545, 607952    
Attachments:
Description Flags
Add --escrowcert and --backuppassphrase
none
Add --escrowcert and --backuppassphrase none

Description Miloslav Trmač 2009-06-30 13:01:12 EDT
Created attachment 349973 [details]
Add --escrowcert and --backuppassphrase

This patch adds key escrow directives to pykickstart, used to store the encryption keys (and optionally create backup passphrases) of encrypted volumes.

The options apply to the "autopart" and "part" commands:
* --escrowcert=URL_for_X509_certificate
  If the volume is encrypted, store the encryption key used for the volume in
  /root/$label-$uuid-escrow of the installed system, encrypting it for the
  specified certificate.
* --backuppassphrase
  If --escrowcert is specified, and the volume format supports it (LUKS does),
  add an additional, randomly generated, passphrase to the volume, and store it
  in /root/$label-$uuid-escrow-backup-passphrase .
Comment 1 Chris Lumens 2009-07-01 11:13:08 EDT
Thanks for the patch.  I'll examine it later.  This will of course also require an anaconda patch to do the hard work.
Comment 2 Miloslav Trmač 2009-07-09 10:40:24 EDT
Created attachment 351082 [details]
Add --escrowcert and --backuppassphrase

Updated patch, adding the same options to the "raid" and "logvol" commands.
Comment 3 Chris Lumens 2009-09-10 11:06:43 EDT
Thanks for the patch.  I've added this to the git repo and pushed.