After looking into some tangentially related things I discovered another potential option might be configuring a LUKS unlock via SSH using a crafted dropbear loaded into the initrd. There are some posts on how to do this online but I haven't yet undertaken trying to get it to work with Packer/Vagrant. I would think for security you could avoid using a passphrase-less key but instead use the ssh_agent_forwarding to present a secure key that Packer/Vagrant could use to trigger the decrypt command once, and then delete the "key slot" from LUKS after allowing it to finish provisioning or running tests against the VM to ensure it met all required guidelines (InSpec compliance profiles like the https://dev-sec.io linux-baseline or ssh-baseline).
On Thursday, May 24, 2018 at 5:51:40 PM UTC-5, dragon788 wrote: > > It might be tricky but possible to trigger virtualbox "send-keys" via a > script using the "host-shell" provisioner in order to decrypt the machine's > drive on boot, but it would be tough to know the exact timing and might > require a bit of scripting to handle retries and check for SSH connectivity > before the password entry script quits. I've been thinking through this for > the virtualbox builder but I haven't had to put the effort into > implementing it yet since our box builds are only for quickly testing our > preseed/kickstarter files without having to use real hardware. > > On Thursday, May 3, 2018 at 5:46:51 AM UTC-5, [email protected] wrote: >> >> Hi Mike, >> >> Looks like we have a similar issue. I can also interact manually but >> would love to automate the login after first reboot with LUKS enabled. >> >> Did you find a solution for this? >> >> Thanks! >> >> On Saturday, January 27, 2018 at 3:02:17 AM UTC+11, [email protected] >> wrote: >>> >>> I've managed to start to make this work, although with manual steps. The >>> trick was to set headless to false and enable VNC with qemu args. So at >>> least I can now enter the encryption passphrase in VNC. >>> >>> Steps were: >>> 1. in Packer qemu json set headless to false >>> 2. in Packer qemu json set the display >>> >>> "qemuargs": [ >>> [ "-m", "{{ user `memory` }}" ], >>> [ "-smp", "{{ user `cpus` }}"], >>> ["-display", "vnc=1"] >>> ] >>> >>> >>> 3. once Packer running , connect with vncviewer (you can get the IP and >>> port from the Packer log out output) e.g. vncviewer 127.0.0.1:48 >>> >>> Wondering if I can automate the passphrase entry by coping in a key file >>> during kickstart (and deleting the key file and entering a new LUKS key >>> slot later in build process for production machines.) Anyone know if that >>> will work, or if there is a better way to encrypt the LVM? >>> >>> >>> On Friday, 26 January 2018 12:47:38 UTC, [email protected] wrote: >>>> >>>> I'm trying to create a Packer workflow that will create an encrypted >>>> centos based images for vagrant (qemu builder), KVM/libvirt (qemu >>>> builder), >>>> Azure and AWS. I want to be able to LUKS encrypt the entire LVM in the >>>> qemu >>>> based images. AWS and Azure do something else. >>>> >>>> With virsh based tools I can use say virt-install and give it a >>>> Kickstarter file like the following: >>>> >>>> # Required settings >>>> lang en_GB.UTF-8 >>>> keyboard uk >>>> rootpw vagrant >>>> authconfig --enableshadow --enablemd5 >>>> timezone UTC >>>> >>>> >>>> # Optional settings >>>> install >>>> cdrom >>>> user --name=vagrant --plaintext --password vagrant >>>> unsupported_hardware >>>> network --bootproto=dhcp >>>> firewall --disabled >>>> selinux --enforcing >>>> bootloader --location=mbr >>>> text >>>> skipx >>>> zerombr >>>> clearpart --all --initlabel >>>> firstboot --disabled >>>> >>>> >>>> part /boot --fstype xfs --size=1000 >>>> # the following part command fails >>>> part pv.2 --size=0 --grow --encrypted --cipher="aes-xts-plain64" -- >>>> passphrase=<my encryption passphrase> >>>> # the following part command works as no encryption >>>> #part pv.2 --size=0 --grow >>>> volgroup vg00 --pesize=4096 pv.2 >>>> logvol swap --vgname=vg00 --fstype swap --size=1024 --name=lv_swap >>>> logvol / --vgname=vg00 --fstype xfs --size=1024 --grow --name=lv_root >>>> logvol /usr --vgname=vg00 --fstype xfs --percent=10 --name=lv_usr >>>> logvol /home --vgname=vg00 --fstype xfs --percent=30 --name=lv_home >>>> logvol /var --vgname=vg00 --fstype xfs --percent=10 --name=lv_var >>>> logvol /var/log --vgname=vg00 --fstype xfs --percent=10 --name= >>>> lv_varlog >>>> logvol /var/log/audit --vgname=vg00 --fstype xfs --percent=5 --name= >>>> lv_varlogaudit >>>> logvol /tmp --vgname=vg00 --fstype xfs --percent=8 --name=lv_tmp >>>> >>>> >>>> reboot >>>> >>>> >>>> If I don't use the encrypt arg in the part command the LVM is setup >>>> fine, but adding in encryption stalls the packer build at connecting with >>>> SSH. I assume as Anaconda finishes then reboots and there is no way to >>>> enter the encryption passphrase. >>>> >>>> I tried to get a console to the image during build but can't find it! >>>> e.g. >>>> sudo virsh list --all >>>> >>>> does not show the image being built. >>>> >>>> Reading the documentation and googling around showed me no examples of >>>> anyone encrypting their qemu images. >>>> >>>> The environment I am deploying in to can only be accessed via SSH so >>>> must use the serial console, there is no X-forwarding possible. Also, the >>>> VMs themselves must be encrypted, it is not acceptable to put an >>>> unencrypted VM in a LUKS container on the virtualisation host. >>>> >>>> Is it possible to encrypt images or the LVM with Packer? Are there >>>> other ways I can encrypt the packer image post build e.g. in the post >>>> section? >>>> >>>> Thanks. Hope someone can help, been at this 3 days and going to get my >>>> butt kicked soon:-/ >>>> >>> -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/b8bc7296-80ad-4e3e-97f2-0f4e09d558ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
