Laptop passwords. Typing once, using twice

In case anyone studied my previous blog post very carefully, it was possible to get a hint on today's topic. The lvm-simple-parametric.sh script referenced there, contains lines attempting to use a passphrase which will only be available after doing something similar to what follows below.

According to my philosophy, laptops come with two passwords which could and practically should be the same. Namely the user account password and the disk encryption passphrase. While I'm no great supporter of credentials reuse in general, I consider these specific ones an exception to the rule. They both essentially serve the same purpose, in providing some security towards attackers with physical access to the machine, and they both need to be memorized. If I lose a laptop, for me personally, I do not see how using a luks passphrase different from my screen saver password would reduce risk. I do however acknowledge that not everyone share my low threat level.

Once including one-password.sh among your debian-installer files, combining the account password and disk passphrase into a single debconf question is as easy as putting the following in your laptop's preseed file:

    d-i preseed/numbered_early_command_11 string wget+sh \
        http://pxeserver./preseed/preseed-lib/one-password.sh

Clearly, the first and second post on scripting_flexibility.txt, as well as the one on partitioning (mentioned in the very first sentence) are required for the above to fully work.


2020-06-14 18:17:11 +0000
Thoughts and feedback may be directed at me using the channel listed on my contact page.

Previous post Next post