Bug 461700 - allow users to set global passphrase when creating encrypted devices
Summary: allow users to set global passphrase when creating encrypted devices
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: anaconda
Version: 5.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: David Lehman
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-09 23:42 UTC by David Lehman
Modified: 2009-01-20 21:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-20 21:36:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0164 0 normal SHIPPED_LIVE anaconda bug fix and enhancement update 2009-01-20 16:05:24 UTC

Description David Lehman 2008-09-09 23:42:36 UTC 
Description of problem:
We generally want to encourage users to have one good passphrase for all of the encrypted block devices in a given machine. The most obvious way to enable users to take this intelligent approach is to provide a mechanism through which they can establish a global passphrase during device creation (partitioning).

Version-Release number of selected component (if applicable):
anaconda-11.1.2.120-2.i386.rpm

We have done this already in rawhide (anaconda-11.4.1.29-1), and it is working well so far.
Comment 1 David Lehman 2008-09-15 23:47:34 UTC 
I have taken this a step further in rawhide.

The next build of anaconda in rawhide, which should end up in the F10-Beta, will contain the following changes. 

1) During partitioning, users are not prompted for a passphrase for each newly encrypted device -- instead, there is one prompt after partitioning. We prompt for one passphrase, which gets used for all the devices they've just specified should be encrypted.

2) If there are preexisting encrypted devices for which the user has provided a correct passphrase, we also show a checkbox. If the checkbox is checked, we will add the newly established passphrase to an available slot in each of the preexisting devices. The goal of this is to have one passphrase that provides access to all of the encrypted devices in a system, not just the new ones. It is optional, but active by default.

3) Users who want to assign different passphrases to different devices can do so using kickstart.

I am proposing that we backport this new approach to RHEL5.3.
Comment 2 RHEL Program Management 2008-09-16 00:11:51 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 David Lehman 2008-09-19 15:40:47 UTC 
Fixed in anaconda-11.1.2.127-1.
Comment 7 Alexander Todorov 2008-09-30 11:28:31 UTC 
Dave,
is the behavior from comment #1 documented somewhere?
Comment 8 David Lehman 2008-09-30 14:16:27 UTC 
It is documented here:

http://fedoraproject.org/wiki/Docs/Drafts/DiskEncryptionUserGuide#Creating_Encrypted_Block_Devices_in_Anaconda

I am trying to get this document into the RHEL5 documentation set in time for 5.3, as well as into Fedora in time for F10.
Comment 10 errata-xmlrpc 2009-01-20 21:36:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0164.html
Note You need to log in before you can comment on or make changes to this bug.