2 commits - en-US/beginninginstallation.xml en-US/DiskEncryptionUserGuide.xml en-US/Graphical_Installation_x86_Starting.xml en-US/Important_UEFI.xml en-US/Kickstart2.xml
Rüdiger Landmann
rlandmann at fedoraproject.org
Mon Dec 21 05:59:59 UTC 2009
en-US/DiskEncryptionUserGuide.xml | 32 ++++++++++++---
en-US/Graphical_Installation_x86_Starting.xml | 1
en-US/Important_UEFI.xml | 13 ++++++
en-US/Kickstart2.xml | 53 +++++++++++++++++++++++++-
en-US/beginninginstallation.xml | 1
5 files changed, 93 insertions(+), 7 deletions(-)
New commits:
commit d61b8046198b7e476f3a9efc9e99252da6f6579b
Author: Ruediger Landmann <r.landmann at redhat.com>
Date: Mon Dec 21 15:56:44 2009 +1000
Document backup passphrases for encrypted volumes
diff --git a/en-US/DiskEncryptionUserGuide.xml b/en-US/DiskEncryptionUserGuide.xml
index d9ef41d..05f649d 100644
--- a/en-US/DiskEncryptionUserGuide.xml
+++ b/en-US/DiskEncryptionUserGuide.xml
@@ -131,18 +131,38 @@
<title>What Kinds of Block Devices Can Be Encrypted? </title>
<para> Most types of block devices can be encrypted using LUKS. From anaconda you can encrypt partitions, LVM physical volumes, LVM logical volumes, and software RAID arrays.</para>
</section>
- <section>
+<!-- <section>
<title>Limitations of Anaconda's Block Device Encryption Support </title>
<para>This section is about Anaconda's Block Device Encryption Support</para>
- <!--section>
+ section>
<title>Filling the Device with Random Data Before Encrypting </title>
<para> Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. It is because of those time requirements that anaconda does not offer this option. This step can be performed manually, using a <command>kickstart %pre</command> script. Instructions can be found <xref linkend="randomize_device"/>.</para>
- </section-->
- <!--section>
+ </section>
+ section>
<title>Using a Key Comprised of Randomly Generated Data to Access Encrypted Devices </title>
<para> In addition to passphrases, LUKS devices can be accessed with a key comprised of randomly generated data. Setting up one or more keys to access the encrypted devices can be done on the installed system or through the use of a <command>kickstart %post</command> script. Instructions can be found <xref linkend="new_key"/>.</para>
- </section-->
- </section>
+ </section>
+ </section> -->
+ <section>
+ <title>Backing Up Passphrases</title>
+ <indexterm significance="normal">
+ <primary>Encryption</primary>
+ <secondary>Backing up passphrases</secondary>
+ </indexterm>
+ <indexterm significance="normal">
+ <primary>Passphrases</primary>
+ <secondary>Backing up</secondary>
+ </indexterm>
+ <para>
+ If you use a kickstart file during installation, you can save the encryption keys to the block devices on the system and create backup passphrases for these devices. To use this feature, you must have an X.509 certificate available at a location that <application>anaconda</application>. To specify the URL of this certificate, add the <parameter>--escrowcert</parameter> parameter to any of the <command>autopart</command>, <command>logvol</command>, <command>part</command> or <command>raid</command> commands. During installation, the encryption keys for the specified devices are saved in files in <filename>/</filename> (root), encrypted with the certificate.
+ </para>
+ <para>
+ If you add the <parameter>--backuppassphrase</parameter> parameter too, <application>anaconda</application> adds a randomly-generated passphrase to each device. Again, each passphrase is stored in an encrypted form in <filename>/</filename> (root), encypted with the X.509 certificate.
+ </para>
+ <para>
+ Note that this feature is available only while performing a kickstart installation. Refer to <xref linkend="ch-kickstart2"/> for more detail.
+ </para>
+ </section>
</section>
<section>
diff --git a/en-US/Kickstart2.xml b/en-US/Kickstart2.xml
index 3852d53..c114516 100644
--- a/en-US/Kickstart2.xml
+++ b/en-US/Kickstart2.xml
@@ -243,6 +243,16 @@ Boot loader configuration
<command>--passphrase=</command> — Provide a default system-wide passphrase for all encrypted devices.
</para>
</listitem>
+<listitem>
+ <para>
+ <command>--escrowcert=<replaceable>URL_of_X.509_certificate</replaceable></command> — Store data encryption keys of all encrypted volumes as files in <filename>/</filename> (root), encrypted using the X.509 certificate from the URL specified with <replaceable>URL_of_X.509_certificate</replaceable>. The keys are stored as a separate file for each encrypted volume. This option is only meaningful if <command>--encrypted</command> is specified.
+ </para>
+</listitem>
+<listitem>
+ <para>
+ <command>--backuppassphrase=</command> — Add a randomly-generated passphrase to each encrypted volume. Store these passphrases in separate files in <filename>/</filename> (root), encrypted using the X.509 certificate specified with <command>--escrowcert</command>. This option is only meaningful if <command>--escrowcert</command> is specified.
+ </para>
+</listitem>
</itemizedlist>
</listitem>
@@ -1257,6 +1267,27 @@ sv-latin1, sg, sg-latin1, sk-querty, slovene, trq, ua, uk, us, us-acentos
<command>--percent=</command> — Specify the size of the logical volume as a percentage of available space in the volume group.
</para>
</listitem>
+<listitem>
+ <para>
+ <command>--encrypted</command> — Specifies that this logical volume should be encrypted.
+ </para>
+</listitem>
+
+<listitem>
+ <para>
+ <command>--passphrase=</command> — Specifies the passphrase to use when encrypting this logical volume. Without the above <command>--encrypted</command> option, this option does nothing. If no passphrase is specified, the default system-wide one is used, or the installer will stop and prompt if there is no default.
+ </para>
+</listitem>
+<listitem>
+ <para>
+ <command>--escrowcert=<replaceable>URL_of_X.509_certificate</replaceable></command> — Store data encryption keys of all encrypted volumes as files in <filename>/</filename> (root), encrypted using the X.509 certificate from the URL specified with <replaceable>URL_of_X.509_certificate</replaceable>. The keys are stored as a separate file for each encrypted volume. This option is only meaningful if <command>--encrypted</command> is specified.
+ </para>
+</listitem>
+<listitem>
+ <para>
+ <command>--backuppassphrase=</command> — Add a randomly-generated passphrase to each encrypted volume. Store these passphrases in separate files in <filename>/</filename> (root), encrypted using the X.509 certificate specified with <command>--escrowcert</command>. This option is only meaningful if <command>--escrowcert</command> is specified.
+ </para>
+</listitem>
</itemizedlist>
@@ -1748,6 +1779,16 @@ All partitions created are formatted as part of the installation process unless
<command>--passphrase=</command> — Specifies the passphrase to use when encrypting this partition. Without the above <command>--encrypted</command> option, this option does nothing. If no passphrase is specified, the default system-wide one is used, or the installer will stop and prompt if there is no default.
</para>
</listitem>
+<listitem>
+ <para>
+ <command>--escrowcert=<replaceable>URL_of_X.509_certificate</replaceable></command> — Store data encryption keys of all encrypted partitions as files in <filename>/</filename> (root), encrypted using the X.509 certificate from the URL specified with <replaceable>URL_of_X.509_certificate</replaceable>. The keys are stored as a separate file for each encrypted partition. This option is only meaningful if <command>--encrypted</command> is specified.
+ </para>
+</listitem>
+<listitem>
+ <para>
+ <command>--backuppassphrase=</command> — Add a randomly-generated passphrase to each encrypted partition. Store these passphrases in separate files in <filename>/</filename> (root), encrypted using the X.509 certificate specified with <command>--escrowcert</command>. This option is only meaningful if <command>--escrowcert</command> is specified.
+ </para>
+</listitem>
</itemizedlist>
<note>
@@ -1876,7 +1917,17 @@ interface) must be able to interact with the system kernel. Contact your manufac
<para>
<command>--passphrase=</command> — Specifies the passphrase to use when encrypting this RAID device. Without the above <command>--encrypted</command> option, this option does nothing. If no passphrase is specified, the default system-wide one is used, or the installer will stop and prompt if there is no default.
</para>
-</listitem>
+</listitem>
+<listitem>
+ <para>
+ <command>--escrowcert=<replaceable>URL_of_X.509_certificate</replaceable></command> — Store the data encryption key for this device in a file in <filename>/</filename> (root), encrypted using the X.509 certificate from the URL specified with <replaceable>URL_of_X.509_certificate</replaceable>. This option is only meaningful if <command>--encrypted</command> is specified.
+ </para>
+</listitem>
+<listitem>
+ <para>
+ <command>--backuppassphrase=</command> — Add a randomly-generated passphrase to this device. Store the passphrase in a file in <filename>/</filename> (root), encrypted using the X.509 certificate specified with <command>--escrowcert</command>. This option is only meaningful if <command>--escrowcert</command> is specified.
+ </para>
+</listitem>
</itemizedlist>
<para>
The following example shows how to create a RAID level 1 partition for <filename>/</filename>, and a RAID level 5 for <filename>/usr</filename>, assuming there are three SCSI disks on the system. It also creates three
commit 88641b01bc3147d1dd1f49ccf31f69142da4de6c
Author: Ruediger Landmann <r.landmann at redhat.com>
Date: Mon Dec 21 12:28:19 2009 +1000
Note problem booting systems with older BIOSes
diff --git a/en-US/Graphical_Installation_x86_Starting.xml b/en-US/Graphical_Installation_x86_Starting.xml
index 72bc593..4e2398b 100644
--- a/en-US/Graphical_Installation_x86_Starting.xml
+++ b/en-US/Graphical_Installation_x86_Starting.xml
@@ -39,6 +39,7 @@
<secondary>installation program</secondary>
<tertiary>x86, AMD64 and <trademark class="registered">Intel</trademark> 64</tertiary>
</indexterm>
+ <xi:include href="Important_UEFI.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<para>
You can boot the installation program using any one of the following media (depending upon what your system can support):
</para>
diff --git a/en-US/Important_UEFI.xml b/en-US/Important_UEFI.xml
new file mode 100644
index 0000000..75ab6cf
--- /dev/null
+++ b/en-US/Important_UEFI.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!DOCTYPE important PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+]>
+
+<important>
+ <title>Important — Booting Older Systems from CD or DVD Media</title>
+ <para>
+ The CD and DVD media include boot catalog entries for both BIOS and UEFI firmware interfaces. This allows you to boot systems based on either firmware interface from the same CD or DVD. However, some systems with very old BIOS implementations cannot handle media with more than one boot catalog entry. These systems will not boot from the CD or DVD and you must instead boot them from USB or PXE.
+ </para>
+ <para>
+ Note that the boot configurations of UEFI and BIOS differ significantly from each other. Therefore, the installed system must boot using the same firmware that was used during installation. You cannot install the operating system on a system that uses BIOS and then boot this installation on a system that uses UEFI.
+ </para>
+</important>
diff --git a/en-US/beginninginstallation.xml b/en-US/beginninginstallation.xml
index e0529e3..091264e 100644
--- a/en-US/beginninginstallation.xml
+++ b/en-US/beginninginstallation.xml
@@ -17,6 +17,7 @@
<primary>USB flash media</primary>
<secondary>booting</secondary>
</indexterm>
+ <xi:include href="Important_UEFI.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<para>To start the installation program from minimal boot media, a
Live image, or the distribution DVD, follow this procedure:</para>
<procedure>
More information about the Fedora-docs-commits
mailing list