Encrypting confidential files on the install server
Motivation
Usually the (read) access restrictions on the files and scripts on the FAI install server are rather weak. So it is a bit tricky to put passwords and other confidential stuff there. We therefore use encryption to store confidential information on the install server. After the installation the confidential files are secured by the login authentication and filesystem permissions, so they can be safely decrypted. As a drawback, someone has to manually login into the freshly installed system and provide the secret key for encryption.
Overview
1. Generate a gpg key pair for this purpose.
2. Encrypt confidential files, add information about ownership and filesystem permission.
3. Adjust FAI configuration to install the encrypted files in /var/lib/fai/secrets/install/ and the decryption script /usr/local/sbin/fai-secrets-install on the target system.
4. Perform the installation.
5. Log into the freshly installed system (as root) and run fai-secrets-install.
1. Generate a gpg key pair
to be continued tomorrow ... ;-)