Booting encrypted SquashFS from Live CDwhy is it a risk to clone a LUKS container?How to check if TRIM is...
Stack Interview Code methods made from class Node and Smart Pointers
Can I cause damage to electrical appliances by unplugging them when they are turned on?
C++ check if statement can be evaluated constexpr
US tourist/student visa
What kind of floor tile is this?
Non-trope happy ending?
Giving feedback to someone without sounding prejudiced
Why does this expression simplify as such?
Is this toilet slogan correct usage of the English language?
How to make money from a browser who sees 5 seconds into the future of any web page?
Mimic lecturing on blackboard, facing audience
Is there a way to have vectors outlined in a Vector Plot?
How could a planet have erratic days?
A Trivial Diagnosis
What features enable the Su-25 Frogfoot to operate with such a wide variety of fuels?
Does an advisor owe his/her student anything? Will an advisor keep a PhD student only out of pity?
Does "he squandered his car on drink" sound natural?
Why is the "ls" command showing permissions of files in a FAT32 partition?
Shouldn’t conservatives embrace universal basic income?
What is going on with gets(stdin) on the site coderbyte?
How would you translate "more" for use as an interface button?
Which Article Helped Get Rid of Technobabble in RPGs?
How to draw a matrix with arrows in limited space
Is this part of the description of the Archfey warlock's Misty Escape feature redundant?
Booting encrypted SquashFS from Live CD
why is it a risk to clone a LUKS container?How to check if TRIM is working for an encrypted volume?`squashfs-tools` creates incorrectly compressed fileHow do I render Ubuntu unusable by deleting the full disk encryption key?Mount LUKS encrypted hard drive at boot (luks key stored in HOME folder which is encrypted by ecryptfs)Cloning an encrypted HDDInstall Ubuntu over encrypted UbuntuTrying to set up multiple OS partitions, that both point to the same home partition, inside LUKS containerDecrypt LUKS partition without losing dataautounlock luks encrypted drives upon startup with keyfile
0
Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.
here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.
Thanks,
14.04 16.04 live-cd luks squashfs
asked May 30 '18 at 10:26
MohanMohan
11
add a comment |
0
Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.
here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.
Thanks,
14.04 16.04 live-cd luks squashfs
asked May 30 '18 at 10:26
MohanMohan
11
add a comment |
0
0
0
Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.
here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.
Thanks,
14.04 16.04 live-cd luks squashfs
asked May 30 '18 at 10:26
MohanMohan
11
Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.
here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.
Thanks,
14.04 16.04 live-cd luks squashfs
14.04 16.04 live-cd luks squashfs
asked May 30 '18 at 10:26
MohanMohan
11
asked May 30 '18 at 10:26
MohanMohan
11
asked May 30 '18 at 10:26
MohanMohan
11
asked May 30 '18 at 10:26
MohanMohan
11
asked May 30 '18 at 10:26
MohanMohan
11
11
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
0
Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)
Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:
- Uses chroot to add casper to the installation
- Modifies casper-helpers to add the encrypted squashfs booting functionality
- Creates the inital unencrypted squashfs housing the entire file system
- Uses a random string input to pre-encrypted a new encrypted squashfs file
- Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it
- Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso
When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.
The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.
livecd.sh:
#!/bin/bash
echo
echo Setting up /tmp/livecd
echo
sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt
echo
echo Installing necessary packages
echo
sudo apt-get update
sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup
echo
echo Copying over existing system
echo
sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
--exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
--exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
--exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
--exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
--exclude=/etc/timezone
--exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
--exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs
echo
echo Setting up links to chroot
echo
sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run
echo
echo Processing chroot commands
echo
cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
LANG=
apt-get update
apt-get install -y casper lupin-casper
cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
CRYPTSETUP=Y
DEF
patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
@@ -141,6 +141,13 @@
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
+ modprobe dm-crypt
+ mkdir /mnt
+ echo "Enter passphrase: " >&6
+ cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
+ mount -t ext4 /dev/mapper/squash /mnt
+ dev="$(losetup -f)"
+ losetup "$dev" /mnt/filesystem.squashfs
fi
echo "$dev"
return 0
GHI
depmod -a $(uname -r)
update-initramfs -u -k $(uname -r)
apt autoremove
apt clean
find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
find /var/log -type f | while read file
do
cat /dev/null | tee $file
done
rm /etc/resolv.conf /etc/hostname
exit
ABC
echo
echo Copying chroot images to livecd
echo
export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot
echo
echo Removing chroot links
echo
sudo umount /tmp/livecd/chroot/rootfs/proc
sudo umount /tmp/livecd/chroot/rootfs/sys
sudo umount /tmp/livecd/chroot/rootfs/dev
echo
echo Creating the squashfs file
echo
sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend
echo
echo Setting up encrypted squashfs file
echo
size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
((size=size+size/10))
((size=size/1024))
echo $size
sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
dev="$(losetup -f)"
sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs
echo
echo Enter a large string of random text below to setup the pre-encryption.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Pre-encrypting entire squshfs with random data
echo
sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
sync
sync
sync
sync
sudo cryptsetup close squash
echo
echo Enter the desired passphrase for the encrypted livecd below.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Creating ext4 into encrypted container
echo
sudo mkfs.ext4 -m 0 /dev/mapper/squash
sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt
echo
echo Moving unencrypted squashfs file into encrypted sqaushfs container
echo
sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
sync
sync
sync
sync
sudo umount /tmp/livecd/mnt
sudo cryptsetup close squash
sudo losetup -d "$dev"
echo
echo Creating size and md5sum cd files
echo
echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt
echo
echo Creating grub.cfg for the livecd
echo
sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
set default="0"
set timeout=10
menuentry "Ubuntu GUI from RAM" {
linux /casper/vmlinuz boot=casper toram quiet
initrd /casper/initrd.img
}
EOF'
echo
echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
echo
sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd
answered 12 mins ago
live.cdlive.cd
1
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1041916%2fbooting-encrypted-squashfs-from-live-cd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)
Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:
- Uses chroot to add casper to the installation
- Modifies casper-helpers to add the encrypted squashfs booting functionality
- Creates the inital unencrypted squashfs housing the entire file system
- Uses a random string input to pre-encrypted a new encrypted squashfs file
- Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it
- Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso
When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.
The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.
livecd.sh:
#!/bin/bash
echo
echo Setting up /tmp/livecd
echo
sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt
echo
echo Installing necessary packages
echo
sudo apt-get update
sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup
echo
echo Copying over existing system
echo
sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
--exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
--exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
--exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
--exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
--exclude=/etc/timezone
--exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
--exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs
echo
echo Setting up links to chroot
echo
sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run
echo
echo Processing chroot commands
echo
cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
LANG=
apt-get update
apt-get install -y casper lupin-casper
cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
CRYPTSETUP=Y
DEF
patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
@@ -141,6 +141,13 @@
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
+ modprobe dm-crypt
+ mkdir /mnt
+ echo "Enter passphrase: " >&6
+ cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
+ mount -t ext4 /dev/mapper/squash /mnt
+ dev="$(losetup -f)"
+ losetup "$dev" /mnt/filesystem.squashfs
fi
echo "$dev"
return 0
GHI
depmod -a $(uname -r)
update-initramfs -u -k $(uname -r)
apt autoremove
apt clean
find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
find /var/log -type f | while read file
do
cat /dev/null | tee $file
done
rm /etc/resolv.conf /etc/hostname
exit
ABC
echo
echo Copying chroot images to livecd
echo
export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot
echo
echo Removing chroot links
echo
sudo umount /tmp/livecd/chroot/rootfs/proc
sudo umount /tmp/livecd/chroot/rootfs/sys
sudo umount /tmp/livecd/chroot/rootfs/dev
echo
echo Creating the squashfs file
echo
sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend
echo
echo Setting up encrypted squashfs file
echo
size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
((size=size+size/10))
((size=size/1024))
echo $size
sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
dev="$(losetup -f)"
sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs
echo
echo Enter a large string of random text below to setup the pre-encryption.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Pre-encrypting entire squshfs with random data
echo
sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
sync
sync
sync
sync
sudo cryptsetup close squash
echo
echo Enter the desired passphrase for the encrypted livecd below.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Creating ext4 into encrypted container
echo
sudo mkfs.ext4 -m 0 /dev/mapper/squash
sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt
echo
echo Moving unencrypted squashfs file into encrypted sqaushfs container
echo
sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
sync
sync
sync
sync
sudo umount /tmp/livecd/mnt
sudo cryptsetup close squash
sudo losetup -d "$dev"
echo
echo Creating size and md5sum cd files
echo
echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt
echo
echo Creating grub.cfg for the livecd
echo
sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
set default="0"
set timeout=10
menuentry "Ubuntu GUI from RAM" {
linux /casper/vmlinuz boot=casper toram quiet
initrd /casper/initrd.img
}
EOF'
echo
echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
echo
sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd
answered 12 mins ago
live.cdlive.cd
1
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
0
Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)
Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:
- Uses chroot to add casper to the installation
- Modifies casper-helpers to add the encrypted squashfs booting functionality
- Creates the inital unencrypted squashfs housing the entire file system
- Uses a random string input to pre-encrypted a new encrypted squashfs file
- Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it
- Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso
When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.
The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.
livecd.sh:
#!/bin/bash
echo
echo Setting up /tmp/livecd
echo
sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt
echo
echo Installing necessary packages
echo
sudo apt-get update
sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup
echo
echo Copying over existing system
echo
sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
--exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
--exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
--exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
--exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
--exclude=/etc/timezone
--exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
--exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs
echo
echo Setting up links to chroot
echo
sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run
echo
echo Processing chroot commands
echo
cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
LANG=
apt-get update
apt-get install -y casper lupin-casper
cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
CRYPTSETUP=Y
DEF
patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
@@ -141,6 +141,13 @@
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
+ modprobe dm-crypt
+ mkdir /mnt
+ echo "Enter passphrase: " >&6
+ cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
+ mount -t ext4 /dev/mapper/squash /mnt
+ dev="$(losetup -f)"
+ losetup "$dev" /mnt/filesystem.squashfs
fi
echo "$dev"
return 0
GHI
depmod -a $(uname -r)
update-initramfs -u -k $(uname -r)
apt autoremove
apt clean
find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
find /var/log -type f | while read file
do
cat /dev/null | tee $file
done
rm /etc/resolv.conf /etc/hostname
exit
ABC
echo
echo Copying chroot images to livecd
echo
export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot
echo
echo Removing chroot links
echo
sudo umount /tmp/livecd/chroot/rootfs/proc
sudo umount /tmp/livecd/chroot/rootfs/sys
sudo umount /tmp/livecd/chroot/rootfs/dev
echo
echo Creating the squashfs file
echo
sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend
echo
echo Setting up encrypted squashfs file
echo
size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
((size=size+size/10))
((size=size/1024))
echo $size
sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
dev="$(losetup -f)"
sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs
echo
echo Enter a large string of random text below to setup the pre-encryption.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Pre-encrypting entire squshfs with random data
echo
sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
sync
sync
sync
sync
sudo cryptsetup close squash
echo
echo Enter the desired passphrase for the encrypted livecd below.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Creating ext4 into encrypted container
echo
sudo mkfs.ext4 -m 0 /dev/mapper/squash
sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt
echo
echo Moving unencrypted squashfs file into encrypted sqaushfs container
echo
sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
sync
sync
sync
sync
sudo umount /tmp/livecd/mnt
sudo cryptsetup close squash
sudo losetup -d "$dev"
echo
echo Creating size and md5sum cd files
echo
echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt
echo
echo Creating grub.cfg for the livecd
echo
sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
set default="0"
set timeout=10
menuentry "Ubuntu GUI from RAM" {
linux /casper/vmlinuz boot=casper toram quiet
initrd /casper/initrd.img
}
EOF'
echo
echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
echo
sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd
answered 12 mins ago
live.cdlive.cd
1
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
0
0
0
Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)
Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:
- Uses chroot to add casper to the installation
- Modifies casper-helpers to add the encrypted squashfs booting functionality
- Creates the inital unencrypted squashfs housing the entire file system
- Uses a random string input to pre-encrypted a new encrypted squashfs file
- Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it
- Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso
When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.
The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.
livecd.sh:
#!/bin/bash
echo
echo Setting up /tmp/livecd
echo
sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt
echo
echo Installing necessary packages
echo
sudo apt-get update
sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup
echo
echo Copying over existing system
echo
sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
--exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
--exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
--exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
--exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
--exclude=/etc/timezone
--exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
--exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs
echo
echo Setting up links to chroot
echo
sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run
echo
echo Processing chroot commands
echo
cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
LANG=
apt-get update
apt-get install -y casper lupin-casper
cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
CRYPTSETUP=Y
DEF
patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
@@ -141,6 +141,13 @@
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
+ modprobe dm-crypt
+ mkdir /mnt
+ echo "Enter passphrase: " >&6
+ cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
+ mount -t ext4 /dev/mapper/squash /mnt
+ dev="$(losetup -f)"
+ losetup "$dev" /mnt/filesystem.squashfs
fi
echo "$dev"
return 0
GHI
depmod -a $(uname -r)
update-initramfs -u -k $(uname -r)
apt autoremove
apt clean
find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
find /var/log -type f | while read file
do
cat /dev/null | tee $file
done
rm /etc/resolv.conf /etc/hostname
exit
ABC
echo
echo Copying chroot images to livecd
echo
export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot
echo
echo Removing chroot links
echo
sudo umount /tmp/livecd/chroot/rootfs/proc
sudo umount /tmp/livecd/chroot/rootfs/sys
sudo umount /tmp/livecd/chroot/rootfs/dev
echo
echo Creating the squashfs file
echo
sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend
echo
echo Setting up encrypted squashfs file
echo
size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
((size=size+size/10))
((size=size/1024))
echo $size
sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
dev="$(losetup -f)"
sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs
echo
echo Enter a large string of random text below to setup the pre-encryption.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Pre-encrypting entire squshfs with random data
echo
sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
sync
sync
sync
sync
sudo cryptsetup close squash
echo
echo Enter the desired passphrase for the encrypted livecd below.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Creating ext4 into encrypted container
echo
sudo mkfs.ext4 -m 0 /dev/mapper/squash
sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt
echo
echo Moving unencrypted squashfs file into encrypted sqaushfs container
echo
sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
sync
sync
sync
sync
sudo umount /tmp/livecd/mnt
sudo cryptsetup close squash
sudo losetup -d "$dev"
echo
echo Creating size and md5sum cd files
echo
echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt
echo
echo Creating grub.cfg for the livecd
echo
sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
set default="0"
set timeout=10
menuentry "Ubuntu GUI from RAM" {
linux /casper/vmlinuz boot=casper toram quiet
initrd /casper/initrd.img
}
EOF'
echo
echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
echo
sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd
answered 12 mins ago
live.cdlive.cd
1
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)
Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:
- Uses chroot to add casper to the installation
- Modifies casper-helpers to add the encrypted squashfs booting functionality
- Creates the inital unencrypted squashfs housing the entire file system
- Uses a random string input to pre-encrypted a new encrypted squashfs file
- Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it
- Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso
When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.
The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.
livecd.sh:
#!/bin/bash
echo
echo Setting up /tmp/livecd
echo
sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt
echo
echo Installing necessary packages
echo
sudo apt-get update
sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup
echo
echo Copying over existing system
echo
sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
--exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
--exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
--exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
--exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
--exclude=/etc/timezone
--exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
--exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs
echo
echo Setting up links to chroot
echo
sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run
echo
echo Processing chroot commands
echo
cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
LANG=
apt-get update
apt-get install -y casper lupin-casper
cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
CRYPTSETUP=Y
DEF
patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
@@ -141,6 +141,13 @@
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
+ modprobe dm-crypt
+ mkdir /mnt
+ echo "Enter passphrase: " >&6
+ cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
+ mount -t ext4 /dev/mapper/squash /mnt
+ dev="$(losetup -f)"
+ losetup "$dev" /mnt/filesystem.squashfs
fi
echo "$dev"
return 0
GHI
depmod -a $(uname -r)
update-initramfs -u -k $(uname -r)
apt autoremove
apt clean
find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
find /var/log -type f | while read file
do
cat /dev/null | tee $file
done
rm /etc/resolv.conf /etc/hostname
exit
ABC
echo
echo Copying chroot images to livecd
echo
export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot
echo
echo Removing chroot links
echo
sudo umount /tmp/livecd/chroot/rootfs/proc
sudo umount /tmp/livecd/chroot/rootfs/sys
sudo umount /tmp/livecd/chroot/rootfs/dev
echo
echo Creating the squashfs file
echo
sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend
echo
echo Setting up encrypted squashfs file
echo
size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
((size=size+size/10))
((size=size/1024))
echo $size
sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
dev="$(losetup -f)"
sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs
echo
echo Enter a large string of random text below to setup the pre-encryption.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Pre-encrypting entire squshfs with random data
echo
sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
sync
sync
sync
sync
sudo cryptsetup close squash
echo
echo Enter the desired passphrase for the encrypted livecd below.
echo
sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash
echo
echo Creating ext4 into encrypted container
echo
sudo mkfs.ext4 -m 0 /dev/mapper/squash
sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt
echo
echo Moving unencrypted squashfs file into encrypted sqaushfs container
echo
sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
sync
sync
sync
sync
sudo umount /tmp/livecd/mnt
sudo cryptsetup close squash
sudo losetup -d "$dev"
echo
echo Creating size and md5sum cd files
echo
echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt
echo
echo Creating grub.cfg for the livecd
echo
sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
set default="0"
set timeout=10
menuentry "Ubuntu GUI from RAM" {
linux /casper/vmlinuz boot=casper toram quiet
initrd /casper/initrd.img
}
EOF'
echo
echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
echo
sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd
answered 12 mins ago
live.cdlive.cd
1
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 12 mins ago
live.cdlive.cd
1
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 12 mins ago
live.cdlive.cd
1
answered 12 mins ago
live.cdlive.cd
1
1
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1041916%2fbooting-encrypted-squashfs-from-live-cd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
