Call for votes: Server Technical Specification
Miloslav Trmač
mitr at volny.cz
Mon Mar 3 15:14:04 UTC 2014
2014-03-03 15:12 GMT+01:00 Stephen Gallagher <sgallagh at redhat.com>:
> A magical solution that I could see would be for us to be able to
> retrieve the key from a network location (such as the FreeIPA Domain
> Controller?) during system start. We'd have to have network access
> prior to mounting disks, of course.
>
In fact such a thing has been designed (but AFAIK not implemented) for
FreeIPA a few years ago, broadly along the lines of your description.
> If we could implement all of that, I'd be in favor of making
> encryption (and this escrow) the default.
>
It would be kind of ugly that installing a domain-joined server results in
an encrypted system and installing a stand-alone server presumably
doesn't. Or would we recommend encrypting even the non-domain-joined
server? In a homogenous Fedora deployment, the only such server should be
FreeIPA (with all the critical Kerberos data), so offering to encrypt it by
default would probably be justifiable.
In any case, if we support encryption in the installer GUI, the user needs
to make a choice; not necessarily in the partitioning dialog where it is
offered currently.
Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/server/attachments/20140303/a3bed835/attachment.html>
More information about the server
mailing list