Comment 1 for bug 1766865
Revision history for this message
| Dimitri John Ledkov (xnox) wrote Re: [18.10 FEAT]Installer support for protected key dm-crypt | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
The following changes will be needed:
1) modify s390-tools to ship zkey utilities in the udeb, for d-i
2) probably some modifications to partman-crypto to allow using zkey generated keys
3) detection when these keys are available
4) ensure consistent defaults are used, at same or greater cryptographic stength
HW prerequisites:
we have z13, and it needs checking if we have the rest of the requirements satisfied
1) An IBM z14 or z13™ with the CPACF feature installed. The use of the CPACF requires the appropriate microcode to be loaded which you can order as no-charge feature code (LIC #3863).
2) For redundancy, two IBM Crypto Express5 or Crypto Express6 adapters in CCA coprocessor mode (CEX5C or CEX6C).
3) A Trusted Key Entry (TKE) workstation.
4) For non-production environments you can use the utilities from the CCA package instead of the TKE to set master keys.
5) SCSI or DASD volumes to be encrypted.
As first steps, it would be advisable to set these up and use, post-install. Then it can be looked into enabling this in the installer too. Given our current efforts targeting stabilising 18.04.1 and developing subiquity, I am not sure much progress will be made towards enabling this feature in 18.10. Certain steps can be made to make it easier to use - e.g. shipping zdev in a udeb.