diff options
| author | Klemens Nanni <kn@cvs.openbsd.org> | 2024-02-11 21:56:11 +0000 |
|---|---|---|
| committer | Klemens Nanni <kn@cvs.openbsd.org> | 2024-02-11 21:56:11 +0000 |
| commit | 3289ced7443233c598539ca9d00e6aa90e2530a1 (patch) | |
| tree | 82db2a1f9a67a0e2089aec4f0fc767128dbc5708 /distrib/miniroot | |
| parent | 611fbb1fd2b95435a2e4a123d3e87b46e2ed613d (diff) | |
Enable disk encryption in unattended installations
Interactively keeps using bioctl(8)'s own prompt, in unattended mode
ask_passphrase() ensures non-empty responses or fails.
Unlike user passwords, autoinstall(8) only supports plaintext passphrases:
Encrypt the root disk with a (p)assphrase or (k)eydisk = passphrase
New passphrase = secret
Make sure to trust the install network or use a pre-configured key disk:
Encrypt the root disk with a (p)assphrase or (k)eydisk = keydisk
Which disk contains the key disk = sd2
Which sd2 partition is the key disk = a
initial diff from Chris Narkiewicz
OK afresh1
Feedback sthen
Diffstat (limited to 'distrib/miniroot')
| -rw-r--r-- | distrib/miniroot/install.sub | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 81c8c258f94..c15feb93c3e 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -1,5 +1,5 @@ #!/bin/ksh -# $OpenBSD: install.sub,v 1.1258 2024/01/26 16:35:58 sthen Exp $ +# $OpenBSD: install.sub,v 1.1259 2024/02/11 21:56:10 kn Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015, Robert Peichaer <rpe@openbsd.org> @@ -917,7 +917,7 @@ ask_password() { } # Ask for a passphrase once showing prompt $1. Ensure input is not empty -# save it in $_passphrase. +# and save it in $_passphrase. ask_passphrase() { local _q=$1 @@ -3106,9 +3106,6 @@ encrypt_root() { [[ $MDBOOTSR == y ]] || return - # The interactive bioctl(8) passphrase prompt requires a TTY. - $AI && return - [[ -x /sbin/bioctl ]] || return # Do not even try if softraid is in use already, @@ -3124,8 +3121,12 @@ encrypt_root() { _args=-k$KEYDISK break ;; - # Do nothing, bioctl(8) will handle the passphrase. - [pP]*) break + [pP]*) $AI || break + ask_passphrase 'New passphrase?' + PASSFILE=/tmp/i/passfile + (umask 077 && print -r -- "$_passphrase" >$PASSFILE) + _args=-p$PASSFILE + break ;; [nN]*) return ;; @@ -3139,6 +3140,7 @@ encrypt_root() { echo 'RAID *' | disklabel -w -A -T- $_chunk bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null + rm -fP $PASSFILE # No volumes existed before asking, but we just created one. ROOTDISK=$(get_softraid_volumes) |