Skip to content

Minstall 21 Verified Access

For the uninitiated, "Minstall" generally refers to a category of scripts or projects designed to strip down a standard Linux distribution to its bare essentials. While many users start with a "Minimal ISO" of distributions like Debian, CentOS, or Ubuntu, these installations often still carry background services and packages that aren't strictly necessary for a specific server role (like a web server or VPN node).

Minstall projects act as a post-install optimization layer, removing unnecessary packages, tightening security configurations, and optimizing kernel parameters.

For power grids or water treatment plants, runtime verification against a hardware root of trust (TPM 2.0) ensures no persistent bootkit survives.

gpg --verify minstall-21-verified.iso.sig minstall-21-verified.iso minstall 21 verified

Expected output: Good signature from "Minstall Release Signing Key <release@minstall.org>"

For air-gapped environments, Minstall 21 Verified supports local verification caches. An administrator can pre-download a signed minstall-verified-manifest.json and use it to validate packages from a local mirror, making the system suitable for classified or military networks.

For enterprise deployment, interactive installation defeats scalability. Minstall 21 Verified supports a verified preseed file. Example: For the uninitiated, "Minstall" generally refers to a

# minstall-auto.yaml
version: 21
verification:
  enforce: true
  manifest_url: https://internal-ca.local/minstall/manifest-v21.signed
disk:
  layout: lvm
  wipe: true
packages:
  - openssh-server
  - auditd
post_install:
  - cmd: "minstall-attest --output /var/log/attestation.log"

Boot with:

linux /vmlinuz auto=true preseed.url=https://configs.local/minstall-auto.yaml

The installer will verify the YAML’s GPG signature before executing it.

Once you confirm, Minstall 21 Verified begins: Boot with: linux /vmlinuz auto=true preseed

Should any package fail signature verification, the installer pauses and offers three options:

With hundreds of student workstations, the verified approach prevents tampered OS images from spreading via PXE boot. Minstall 21 Verified integrates with Foreman and The Foreman’s discovery plugin.

The designation "21" typically denotes the version cycle, often aligned with the year or a major version jump. The Minstall 21 update brings several key technical shifts to the table: