Bug 461700 - allow users to set global passphrase when creating encrypted devices
allow users to set global passphrase when creating encrypted devices
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: anaconda (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: David Lehman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-09 19:42 EDT by David Lehman
Modified: 2009-01-20 16:36 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:36:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lehman 2008-09-09 19:42:36 EDT
Description of problem:
We generally want to encourage users to have one good passphrase for all of the encrypted block devices in a given machine. The most obvious way to enable users to take this intelligent approach is to provide a mechanism through which they can establish a global passphrase during device creation (partitioning).

Version-Release number of selected component (if applicable):
anaconda-11.1.2.120-2.i386.rpm

We have done this already in rawhide (anaconda-11.4.1.29-1), and it is working well so far.
Comment 1 David Lehman 2008-09-15 19:47:34 EDT
I have taken this a step further in rawhide.

The next build of anaconda in rawhide, which should end up in the F10-Beta, will contain the following changes. 

1) During partitioning, users are not prompted for a passphrase for each newly encrypted device -- instead, there is one prompt after partitioning. We prompt for one passphrase, which gets used for all the devices they've just specified should be encrypted.

2) If there are preexisting encrypted devices for which the user has provided a correct passphrase, we also show a checkbox. If the checkbox is checked, we will add the newly established passphrase to an available slot in each of the preexisting devices. The goal of this is to have one passphrase that provides access to all of the encrypted devices in a system, not just the new ones. It is optional, but active by default.

3) Users who want to assign different passphrases to different devices can do so using kickstart.

I am proposing that we backport this new approach to RHEL5.3.
Comment 2 RHEL Product and Program Management 2008-09-15 20:11:51 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 David Lehman 2008-09-19 11:40:47 EDT
Fixed in anaconda-11.1.2.127-1.
Comment 7 Alexander Todorov 2008-09-30 07:28:31 EDT
Dave,
is the behavior from comment #1 documented somewhere?
Comment 8 David Lehman 2008-09-30 10:16:27 EDT
It is documented here:

http://fedoraproject.org/wiki/Docs/Drafts/DiskEncryptionUserGuide#Creating_Encrypted_Block_Devices_in_Anaconda

I am trying to get this document into the RHEL5 documentation set in time for 5.3, as well as into Fedora in time for F10.
Comment 10 errata-xmlrpc 2009-01-20 16:36:29 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0164.html

Note You need to log in before you can comment on or make changes to this bug.