From: Klemens Nanni Subject: Re: [patch] Autoinstall with disk encryption To: tech@openbsd.org, kn@openbsd.org Date: Thu, 25 Jan 2024 17:59:25 +0000 On Thu, Jan 25, 2024 at 12:01:01PM +0000, Chris Narkiewicz wrote: > On Fri, Dec 22, 2023 at 02:58:06PM +0000, Chris Narkiewicz wrote: > > I'd like to kindly ask again if there is any interest in such feature to > > enable unattended installation with disk encryption. > > There was some encouragement I received, but I assume that xmas and new year > were not a good time to seek for attention. :) > > Here I am again, asking for feedback. How did you test? > Index: install.sub > =================================================================== > RCS file: /cvs/src/distrib/miniroot/install.sub,v > retrieving revision 1.1257 > diff -u -p -u -p -r1.1257 install.sub > --- install.sub 24 Oct 2023 18:03:53 -0000 1.1257 > +++ install.sub 13 Dec 2023 18:27:30 -0000 > @@ -3099,6 +3099,13 @@ pick_keydisk() { > KEYDISK=$_disk$_label > } > > +get_disk_passphrase() { > + ask_password 'Password for disk encryption?' (I ignore wording for now.) ask_password() may return the empty string, but bioctl(8) won't accept it. > + DISK_PASS="${_password}" DISK_PASS serves no purpose. > + echo "${DISK_PASS}" > $DISK_PASS_FILE > + chmod 0600 $DISK_PASS_FILE Setting umask(2) in a subshell and using ksh(1)'s print `builtin' is shorter and the idiom install.sub already uses. > +} > + > encrypt_root() { > local _args _chunk=$ROOTDISK > > @@ -3122,8 +3129,11 @@ encrypt_root() { > _args=-k$KEYDISK > break > ;; > - # Do nothing, bioctl(8) will handle the passphrase. > - [pP]*) break > + # Ask for password and store it into a temporary file for bioctl > + [pP]*) > + get_disk_passphrase > + _args=-p$DISK_PASS_FILE > + break A different interactive prompt is certainly the only effective change. Unattended installations won't be able to run this code as you left this up in encrypt_root(): # The interactive bioctl(8) passphrase prompt requires a TTY. $AI && return (You may as well the passfile right after use, for good measure. No point in leaving cleartext passphrases behind.) > ;; > [nN]*) return > ;; > @@ -3606,6 +3616,7 @@ CGI_INFO=/tmp/i/cgiinfo > CGI_METHOD= > CGI_TIME= > CGI_TZ= > +DISK_PASS_FILE=/tmp/i/disk_password > export EDITOR=ed > HTTP_DIR= > HTTP_LIST=/tmp/i/httplist > > > Best regards, > Chris Narkiewicz > > -- > Phone: +44 7502 415 180 (also Signal, WhatsApp) > Matrix: @ezaquarii:etacassiopeiae.net > Mastodon: @ezaquarii@social.etacassiopeiae.net > GPG: F86C 15AB 6FFE 6F81 43D7 4C1E 98BF 5BA2 F3BB 4D28 >