Thursday, 6 March 2014

Re: Installer's cryptsetup script - location and extending

On 25 August 2013 17:54, PHP Nut <[email protected]> wrote:
> I'd like to extend the installer's cryptsetup script to allow for:
>
> 1. Execution of a pre-cryptsetup script, if it exists, placed conveniently
> in the root of the installation medium.
> 2. User specification of parameters.
>
> The official installers do not allow this. While we can work around this
> manually, that is a laborious chore for every install of every release.
>
> Where is the installer's cryptsetup script located?
>
> We need this because:
>
> 1. Fresh systems lack sufficient, trustworthy entropy - virtual machines
> even more so.

There is "polination" work ongoing in Ubuntu to securely provision /
add entropy to freshly provisioned machines.
At the moment virtual machines / cloud instances are targeted but i
hope it will be extended to other machines.

> 2. There are valid reasons for cipher changes from default (or just a
> reassuring re-specification). Setting aside some of the pointless changes
> and baseless paranoia we see on the forums, there is one major reason to do
> this: AES-128 is faster (with and without AES-NI) and sufficient to keep the
> data private, but certain people are contractually bound to use AES-256 FDE
> on all systems used in furtherance of certain contracts. Some of them are
> bound to FIPS compliance, others to a list of bullet points lifted from the
> spec.
> 3. Custom specification of the identity and the hardness parameters of the
> KDF are useful. The installer tries to strike a balance, but this balance is
> not appropriate in all situations.
> 4. Better support of the currently laborious task of setting up two-factor
> key derivation from a password and key file.
> 5. As a matter of principle, critical security settings should not be hidden
> and hard to modify. That doesn't mean that the default installer should make
> it easy for unknowledgeable people to break things, or that we must spend
> time letting every parameter be tweaked, but it does require at least some
> documented exposure intended for modification.
>

I believe all/most partman-crypto settings can be easily preseeded. If
that's not the case bug reports / patches against partman-crypto are
very welcome.
We strike for highest available / trustworthy crypto settings.

Since 12.04.4 LTS or any higher version of Ubuntu, we default to
AES-256 & xts-plain64 (choosing xts triggers doubling the keysize both
in partman-crypto and cryptsetup by the looks of things, thus actually
we might be ending up with AES-1024 i'll verify that). Which is inline
with highest & currently recommended security levels.

If you still wish to override this highly secure defaults, you can
specify key sizes, algorithms, etc. by preceeding partman-crypto/*
values in your preseed file. Sample of used values is listed here
using http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/partman-crypto/trusty/view/head:/debian/partman-crypto.templates

> The pre-cryptsetup script allows the user to solve the problems associated
> with entropy and two-factor keying but without having to modify the
> installation tree for each image. A post-cryptsetup script along the same
> lines would also be useful.
>

I'm not quite sure what you mean by pre/post-cryptsetup scripts. d-i
based installations allow to inject arbitrary scripts execution at
multiple points during installation.
You can pre-seed following keys:
* d-i preseed/early_command
* d-i partman/early_command
* d-i preseed/late_command

Which allow very early execution of any shell commands, just before
partitioning, or after installation is done. See upstream
debian-installer documentation on how to use those preseed values:
https://www.debian.org/releases/stable/i386/apbs05.html.en .


> Parameter specification is fairly straightforward. We need a script which
> sets a few variables and optionally allows the substitution of a custom
> command.
>
> How might I get started on this?
>

I'd recommend you to first explore all the available pressed options,
as i believe you can achieve/change everything you need using existing
facilities.
A good interactive way to experience them, is by using d-i in expert
installation mode - at ubuntu server image boot choose expert
installation mode in the menus.

--
Regards,

Dimitri.

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel