Provisioning of EU OS
Anaconda allows for unattended (hands-off) provisioning of Linux on bare-metal devices and virtual machines. The specific configuration happens in so-called Kickstart configuration files.
References:
Provisioning to Bare Metal machines (desktops/laptops)
WARNING
This section is work in progress. Related issue: #39
Full-Disk Encryption
WARNING
This section is work in progress. Related issue: #35
Full-Disk Encryption (FDE) protects configuration data and user data in case the device is lost or stolen. Most Linux distributions as well as EU OS rely for FDE on the software LUKS2.
Setting up LUKS2 FDE
LUKS2 relies on a specific partitition setup during the provisioning process. The setup is described in the Kickstart config file read by Anaconda to install the system.
*TODO*Unlocking LUKS2 Volumes
LUKS2 volumes can be unlocked by a passphrase or hardware security tokens. By default, it can be unlocked using a passphrase. The default passpharse of the LUKS2 volume is euos. The default LUKS2 passphrase can be changed after installation, however as the project progresses, a strong passphrase could be generated during partitioning. Hadware security keys serve as an alternative to passphrases and are very convenient. systemd-cryptenroll is used to enroll hardware security tokens, such as TPM, FIDO2 and PKCS#11 devices. Currently, FIDO2 is supported to unlock the LUKS2 FDE volume at boot.
Enroll your FIDO2 device:
sudo systemd-cryptenroll --fido2-device auto /dev/<device, i.e. nvme0n1p3>Add kernel argument to tell the initrd to use FIDO2:
sudo rpm-ostree kargs --append rd.luks.options=<LUKS device ID>=discard,fido2-device=auto