Best way to secure Kickstart encrypted partition passwords
I have a CentOS 6.5 environment that boots up servers using Kickstart. One of the requirements of our Kickstart is that the partitions are encrypted. Since Anaconda can only take plain text passwords for LUKS encrypted partitions, what's the best way to secure the Kickstart config files? We are currently serving them over HTTP and soon to be HTTPS.
Solution 1:
What we do is kickstart with a dummy password and then change it after installation.
Solution 2:
If you don't specify a "--passphrase" in your RHEL 6 kickstart config, anaconda will prompt you for a password at installation time. That would help you to avoid storing LUKS passphrases in your kickstart config files entirely.
This doesn't seem to work with RHEL 7; instead the installation fails entirely.