Hello Folks,
I just wanted to provide an up-to-date example of OS disk encryption based on this post by @axino, and others!
With some tweaks I have the following curtin configuration to encrypt the OS disk;
apt:
preserve_sources_list: false
proxy: http://10.10.32.4:8000/
sources_list: 'deb http://archive.ubuntu.com/ubuntu $RELEASE restricted main multiverse
universe
# deb-src http://archive.ubuntu.com/ubuntu $RELEASE restricted main multiverse
universe
deb http://archive.ubuntu.com/ubuntu $RELEASE-updates restricted main multiverse
universe
# deb-src http://archive.ubuntu.com/ubuntu $RELEASE-updates restricted main multiverse
universe
deb http://archive.ubuntu.com/ubuntu $RELEASE-security restricted main multiverse
universe
# deb-src http://archive.ubuntu.com/ubuntu $RELEASE-security restricted main multiverse
universe
deb http://archive.ubuntu.com/ubuntu $RELEASE-backports restricted main multiverse
universe
# deb-src http://archive.ubuntu.com/ubuntu $RELEASE-backports restricted main
multiverse universe
'
cloudconfig:
maas-cloud-config:
content: "#cloud-config\ndatasource:\n MAAS:\n consumer_key: Pe0Na1Glp8NUYKor7U\n\
\ metadata_url: http://10.10.32.4:5248/MAAS/metadata/\n token_key: ZD5mCOSCjUK03PltcJ\n\
\ token_secret: KisKiLQLfNgc9jCRnCcbP8fWR1MXnSXl\n"
path: /etc/cloud/cloud.cfg.d/90_maas_cloud_config.cfg
maas-datasource:
content: 'datasource_list: [ MAAS ]'
path: /etc/cloud/cloud.cfg.d/90_maas_datasource.cfg
maas-reporting:
content: "#cloud-config\nreporting:\n maas:\n consumer_key: Pe0Na1Glp8NUYKor7U\n\
\ endpoint: http://10.10.32.4:5248/MAAS/metadata/status/bs8btk\n token_key:\
\ ZD5mCOSCjUK03PltcJ\n token_secret: KisKiLQLfNgc9jCRnCcbP8fWR1MXnSXl\n \
\ type: webhook\n"
path: /etc/cloud/cloud.cfg.d/90_maas_cloud_init_reporting.cfg
maas-ubuntu-sso:
content: "#cloud-config\nsnap:\n email: root@localhost\n"
path: /etc/cloud/cloud.cfg.d/90_maas_ubuntu_sso.cfg
debconf_selections:
grub2: grub2 grub2/update_nvram boolean false
maas: |
{{for line in str(curtin_preseed).splitlines()}}
{{line}}
{{endfor}}
early_commands:
driver_00:
- sh
- -c
- echo third party drivers not installed or necessary.
redirect:
- echo
- 127.0.0.1 entropy.ubuntu.com
- '>>'
- /etc/hosts
install:
error_tarfile: /tmp/curtin-logs.tar
log_file: /tmp/install.log
post_files:
- /tmp/install.log
- /tmp/curtin-logs.tar
kernel:
mapping: {}
package: linux-generic
kernel-crash-dumps:
enabled: false
late_commands:
00_fix_fstab: ['curtin', 'in-target', '--', 'perl', '-p', '-i', '-e', 's/LUKS1/LUKS2/', '/etc/fstab']
maas: [wget, '--no-proxy', {{node_disable_pxe_url|escape.json}}, '--post-data', {{node_disable_pxe_data|escape.json}}, '-O', '/dev/null']
network:
ethernets:
enp5s0:
addresses:
- 10.10.32.44/24
gateway4: 10.10.32.3
match:
macaddress: 00:16:3e:e2:dd:c8
mtu: 1500
nameservers:
addresses:
- 10.10.32.4
search:
- maas
set-name: enp5s0
version: 2
network_commands:
builtin:
- curtin
- net-meta
- custom
partitioning_commands:
builtin:
- curtin
- block-meta
- custom
reporting:
maas:
consumer_key: TOKEN
endpoint: http://10.10.32.4:5248/MAAS/metadata/status/bs8btk
token_key: TOKEN
token_secret: TOKEN
type: webhook
showtrace: true
storage:
config:
- grub_device: true
id: sdb
model: QEMU HARDDISK
name: sdb
ptable: gpt
serial: lxd_disk1
type: disk
wipe: superblock
- id: sda
model: QEMU HARDDISK
name: sda
serial: lxd_root
type: disk
wipe: superblock
### PARTITIONS
- device: sdb
id: sdb-part1
flag: boot
name: sdb-part1
number: 1
offset: 4194304B
size: 536870912B
type: partition
uuid: 5956282c-d62d-426e-b06f-024e8c0ddee6
wipe: superblock
- device: sdb
id: sdb-part2
name: sdb-part2
number: 2
size: 5G
type: partition
uuid: 11111111-1111-1111-0000-000000000102
wipe: superblock
- device: sdb
id: sdb-part3
name: sdb-part3
number: 3
size: 30G
type: partition
uuid: 9e5c3d83-b89f-4a47-9945-5e4a7c8dd053
wipe: superblock
### CRYPT
- id: sdb-part3_crypt
type: dm_crypt
dm_name: sdb3_crypt
volume: sdb-part3
key: tempkey
keysize: '512'
### FORMATS
- fstype: fat32
id: sdb-part1_format
label: efi
type: format
uuid: b334b020-71e2-4390-a33e-0171d7173d7a
volume: sdb-part1
- fstype: ext4
id: sdb-part2_format
label: ''
type: format
volume: sdb-part2
uuid: 11111111-1111-1111-0003-000000000000
- fstype: ext4
id: sdb-part3_format
label: root
type: format
uuid: 63452a9e-cd7c-4d39-a7a1-dab9f3cb702b
volume: sdb-part3_crypt
- device: sdb-part3_format
id: sdb-part3_mount
options: ''
path: /
type: mount
- device: sdb-part2_format
id: sdb-part2_mount
path: /boot
options: ''
type: mount
- device: sdb-part1_format
id: sdb-part1_mount
options: ''
path: /boot/efi
type: mount
version: 1
verbosity: 3
Enjoy!
Peter