Encrypting confidential files on the install server

From FAIWiki
Jump to navigation Jump to search

Motivation

Usually the (read) access restrictions on the files and scripts on the FAI install server are rather weak. So it is a bit tricky to put passwords and other confidential stuff there. We therefore use encryption to store confidential information on the install server. After the installation the confidential files are secured by the login authentication and filesystem permissions, so they can be safely decrypted. As a drawback, someone has to manually login into the freshly installed system and provide the secret key for the encryption.

Overview

1. Generate a gpg key pair for this purpose.

2. Encrypt confidential files, add information about ownership and filesystem permission.

3. Adjust FAI configuration to install the encrypted files in /var/lib/fai/secrets/install/ and the decryption script /usr/local/sbin/fai-secrets-install on the target system.

4. Perform the installation.

5. Log into the freshly installed system (as root) and run fai-secrets-install.

1. Generate a gpg key pair

to be continued tomorrow ... ;-)