Booting encrypted SquashFS from Live CD












0















Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.



here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.



Thanks,










share|improve this question



























    0















    Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.



    here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.



    Thanks,










    share|improve this question

























      0












      0








      0








      Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.



      here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.



      Thanks,










      share|improve this question














      Can we boot encrypted squashfs from livecd. If it possible please suggest me to decrypt and boot the OS.



      here i'm using luks encryption technique for securing the Squashfs file but i'm fail to decrypt that stored squashfs file container.



      Thanks,







      14.04 16.04 live-cd luks squashfs






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked May 30 '18 at 10:26









      MohanMohan

      11




      11






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)



          Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:




          • Uses chroot to add casper to the installation

          • Modifies casper-helpers to add the encrypted squashfs booting functionality

          • Creates the inital unencrypted squashfs housing the entire file system

          • Uses a random string input to pre-encrypted a new encrypted squashfs file

          • Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it

          • Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso


          When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.



          The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.



          livecd.sh:



          #!/bin/bash

          echo
          echo Setting up /tmp/livecd
          echo
          sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt

          echo
          echo Installing necessary packages
          echo
          sudo apt-get update
          sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup

          echo
          echo Copying over existing system
          echo
          sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
          --exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
          --exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
          --exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
          --exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
          --exclude=/etc/timezone
          --exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
          --exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs

          echo
          echo Setting up links to chroot
          echo
          sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
          sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
          sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
          sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run

          echo
          echo Processing chroot commands
          echo
          cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
          LANG=
          apt-get update
          apt-get install -y casper lupin-casper
          cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
          CRYPTSETUP=Y
          DEF
          patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
          @@ -141,6 +141,13 @@
          losetup -o "$offset" "$dev" "$fspath"
          else
          losetup "$dev" "$fspath"
          + modprobe dm-crypt
          + mkdir /mnt
          + echo "Enter passphrase: " >&6
          + cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
          + mount -t ext4 /dev/mapper/squash /mnt
          + dev="$(losetup -f)"
          + losetup "$dev" /mnt/filesystem.squashfs
          fi
          echo "$dev"
          return 0
          GHI
          depmod -a $(uname -r)
          update-initramfs -u -k $(uname -r)
          apt autoremove
          apt clean
          find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
          find /var/log -type f | while read file
          do
          cat /dev/null | tee $file
          done
          rm /etc/resolv.conf /etc/hostname
          exit
          ABC

          echo
          echo Copying chroot images to livecd
          echo
          export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
          sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
          sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
          sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot

          echo
          echo Removing chroot links
          echo
          sudo umount /tmp/livecd/chroot/rootfs/proc
          sudo umount /tmp/livecd/chroot/rootfs/sys
          sudo umount /tmp/livecd/chroot/rootfs/dev

          echo
          echo Creating the squashfs file
          echo
          sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend

          echo
          echo Setting up encrypted squashfs file
          echo
          size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
          ((size=size+size/10))
          ((size=size/1024))
          echo $size
          sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
          dev="$(losetup -f)"
          sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs

          echo
          echo Enter a large string of random text below to setup the pre-encryption.
          echo
          sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

          echo
          echo Pre-encrypting entire squshfs with random data
          echo
          sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
          sync
          sync
          sync
          sync
          sudo cryptsetup close squash

          echo
          echo Enter the desired passphrase for the encrypted livecd below.
          echo
          sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

          echo
          echo Creating ext4 into encrypted container
          echo
          sudo mkfs.ext4 -m 0 /dev/mapper/squash
          sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt

          echo
          echo Moving unencrypted squashfs file into encrypted sqaushfs container
          echo
          sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
          sync
          sync
          sync
          sync
          sudo umount /tmp/livecd/mnt
          sudo cryptsetup close squash
          sudo losetup -d "$dev"

          echo
          echo Creating size and md5sum cd files
          echo
          echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
          find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt

          echo
          echo Creating grub.cfg for the livecd
          echo
          sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
          set default="0"
          set timeout=10

          menuentry "Ubuntu GUI from RAM" {
          linux /casper/vmlinuz boot=casper toram quiet
          initrd /casper/initrd.img
          }

          EOF'

          echo
          echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
          echo
          sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd





          share|improve this answer








          New contributor




          live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.




















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1041916%2fbooting-encrypted-squashfs-from-live-cd%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)



            Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:




            • Uses chroot to add casper to the installation

            • Modifies casper-helpers to add the encrypted squashfs booting functionality

            • Creates the inital unencrypted squashfs housing the entire file system

            • Uses a random string input to pre-encrypted a new encrypted squashfs file

            • Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it

            • Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso


            When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.



            The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.



            livecd.sh:



            #!/bin/bash

            echo
            echo Setting up /tmp/livecd
            echo
            sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt

            echo
            echo Installing necessary packages
            echo
            sudo apt-get update
            sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup

            echo
            echo Copying over existing system
            echo
            sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
            --exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
            --exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
            --exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
            --exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
            --exclude=/etc/timezone
            --exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
            --exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs

            echo
            echo Setting up links to chroot
            echo
            sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
            sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
            sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
            sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run

            echo
            echo Processing chroot commands
            echo
            cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
            LANG=
            apt-get update
            apt-get install -y casper lupin-casper
            cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
            CRYPTSETUP=Y
            DEF
            patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
            @@ -141,6 +141,13 @@
            losetup -o "$offset" "$dev" "$fspath"
            else
            losetup "$dev" "$fspath"
            + modprobe dm-crypt
            + mkdir /mnt
            + echo "Enter passphrase: " >&6
            + cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
            + mount -t ext4 /dev/mapper/squash /mnt
            + dev="$(losetup -f)"
            + losetup "$dev" /mnt/filesystem.squashfs
            fi
            echo "$dev"
            return 0
            GHI
            depmod -a $(uname -r)
            update-initramfs -u -k $(uname -r)
            apt autoremove
            apt clean
            find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
            find /var/log -type f | while read file
            do
            cat /dev/null | tee $file
            done
            rm /etc/resolv.conf /etc/hostname
            exit
            ABC

            echo
            echo Copying chroot images to livecd
            echo
            export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
            sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
            sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
            sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot

            echo
            echo Removing chroot links
            echo
            sudo umount /tmp/livecd/chroot/rootfs/proc
            sudo umount /tmp/livecd/chroot/rootfs/sys
            sudo umount /tmp/livecd/chroot/rootfs/dev

            echo
            echo Creating the squashfs file
            echo
            sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend

            echo
            echo Setting up encrypted squashfs file
            echo
            size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
            ((size=size+size/10))
            ((size=size/1024))
            echo $size
            sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
            dev="$(losetup -f)"
            sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs

            echo
            echo Enter a large string of random text below to setup the pre-encryption.
            echo
            sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

            echo
            echo Pre-encrypting entire squshfs with random data
            echo
            sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
            sync
            sync
            sync
            sync
            sudo cryptsetup close squash

            echo
            echo Enter the desired passphrase for the encrypted livecd below.
            echo
            sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

            echo
            echo Creating ext4 into encrypted container
            echo
            sudo mkfs.ext4 -m 0 /dev/mapper/squash
            sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt

            echo
            echo Moving unencrypted squashfs file into encrypted sqaushfs container
            echo
            sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
            sync
            sync
            sync
            sync
            sudo umount /tmp/livecd/mnt
            sudo cryptsetup close squash
            sudo losetup -d "$dev"

            echo
            echo Creating size and md5sum cd files
            echo
            echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
            find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt

            echo
            echo Creating grub.cfg for the livecd
            echo
            sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
            set default="0"
            set timeout=10

            menuentry "Ubuntu GUI from RAM" {
            linux /casper/vmlinuz boot=casper toram quiet
            initrd /casper/initrd.img
            }

            EOF'

            echo
            echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
            echo
            sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd





            share|improve this answer








            New contributor




            live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

























              0














              Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)



              Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:




              • Uses chroot to add casper to the installation

              • Modifies casper-helpers to add the encrypted squashfs booting functionality

              • Creates the inital unencrypted squashfs housing the entire file system

              • Uses a random string input to pre-encrypted a new encrypted squashfs file

              • Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it

              • Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso


              When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.



              The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.



              livecd.sh:



              #!/bin/bash

              echo
              echo Setting up /tmp/livecd
              echo
              sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt

              echo
              echo Installing necessary packages
              echo
              sudo apt-get update
              sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup

              echo
              echo Copying over existing system
              echo
              sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
              --exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
              --exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
              --exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
              --exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
              --exclude=/etc/timezone
              --exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
              --exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs

              echo
              echo Setting up links to chroot
              echo
              sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
              sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
              sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
              sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run

              echo
              echo Processing chroot commands
              echo
              cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
              LANG=
              apt-get update
              apt-get install -y casper lupin-casper
              cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
              CRYPTSETUP=Y
              DEF
              patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
              @@ -141,6 +141,13 @@
              losetup -o "$offset" "$dev" "$fspath"
              else
              losetup "$dev" "$fspath"
              + modprobe dm-crypt
              + mkdir /mnt
              + echo "Enter passphrase: " >&6
              + cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
              + mount -t ext4 /dev/mapper/squash /mnt
              + dev="$(losetup -f)"
              + losetup "$dev" /mnt/filesystem.squashfs
              fi
              echo "$dev"
              return 0
              GHI
              depmod -a $(uname -r)
              update-initramfs -u -k $(uname -r)
              apt autoremove
              apt clean
              find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
              find /var/log -type f | while read file
              do
              cat /dev/null | tee $file
              done
              rm /etc/resolv.conf /etc/hostname
              exit
              ABC

              echo
              echo Copying chroot images to livecd
              echo
              export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
              sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
              sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
              sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot

              echo
              echo Removing chroot links
              echo
              sudo umount /tmp/livecd/chroot/rootfs/proc
              sudo umount /tmp/livecd/chroot/rootfs/sys
              sudo umount /tmp/livecd/chroot/rootfs/dev

              echo
              echo Creating the squashfs file
              echo
              sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend

              echo
              echo Setting up encrypted squashfs file
              echo
              size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
              ((size=size+size/10))
              ((size=size/1024))
              echo $size
              sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
              dev="$(losetup -f)"
              sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs

              echo
              echo Enter a large string of random text below to setup the pre-encryption.
              echo
              sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

              echo
              echo Pre-encrypting entire squshfs with random data
              echo
              sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
              sync
              sync
              sync
              sync
              sudo cryptsetup close squash

              echo
              echo Enter the desired passphrase for the encrypted livecd below.
              echo
              sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

              echo
              echo Creating ext4 into encrypted container
              echo
              sudo mkfs.ext4 -m 0 /dev/mapper/squash
              sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt

              echo
              echo Moving unencrypted squashfs file into encrypted sqaushfs container
              echo
              sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
              sync
              sync
              sync
              sync
              sudo umount /tmp/livecd/mnt
              sudo cryptsetup close squash
              sudo losetup -d "$dev"

              echo
              echo Creating size and md5sum cd files
              echo
              echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
              find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt

              echo
              echo Creating grub.cfg for the livecd
              echo
              sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
              set default="0"
              set timeout=10

              menuentry "Ubuntu GUI from RAM" {
              linux /casper/vmlinuz boot=casper toram quiet
              initrd /casper/initrd.img
              }

              EOF'

              echo
              echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
              echo
              sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd





              share|improve this answer








              New contributor




              live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.























                0












                0








                0







                Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)



                Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:




                • Uses chroot to add casper to the installation

                • Modifies casper-helpers to add the encrypted squashfs booting functionality

                • Creates the inital unencrypted squashfs housing the entire file system

                • Uses a random string input to pre-encrypted a new encrypted squashfs file

                • Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it

                • Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso


                When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.



                The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.



                livecd.sh:



                #!/bin/bash

                echo
                echo Setting up /tmp/livecd
                echo
                sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt

                echo
                echo Installing necessary packages
                echo
                sudo apt-get update
                sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup

                echo
                echo Copying over existing system
                echo
                sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
                --exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
                --exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
                --exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
                --exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
                --exclude=/etc/timezone
                --exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
                --exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs

                echo
                echo Setting up links to chroot
                echo
                sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
                sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
                sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
                sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run

                echo
                echo Processing chroot commands
                echo
                cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
                LANG=
                apt-get update
                apt-get install -y casper lupin-casper
                cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
                CRYPTSETUP=Y
                DEF
                patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
                @@ -141,6 +141,13 @@
                losetup -o "$offset" "$dev" "$fspath"
                else
                losetup "$dev" "$fspath"
                + modprobe dm-crypt
                + mkdir /mnt
                + echo "Enter passphrase: " >&6
                + cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
                + mount -t ext4 /dev/mapper/squash /mnt
                + dev="$(losetup -f)"
                + losetup "$dev" /mnt/filesystem.squashfs
                fi
                echo "$dev"
                return 0
                GHI
                depmod -a $(uname -r)
                update-initramfs -u -k $(uname -r)
                apt autoremove
                apt clean
                find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
                find /var/log -type f | while read file
                do
                cat /dev/null | tee $file
                done
                rm /etc/resolv.conf /etc/hostname
                exit
                ABC

                echo
                echo Copying chroot images to livecd
                echo
                export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
                sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
                sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
                sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot

                echo
                echo Removing chroot links
                echo
                sudo umount /tmp/livecd/chroot/rootfs/proc
                sudo umount /tmp/livecd/chroot/rootfs/sys
                sudo umount /tmp/livecd/chroot/rootfs/dev

                echo
                echo Creating the squashfs file
                echo
                sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend

                echo
                echo Setting up encrypted squashfs file
                echo
                size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
                ((size=size+size/10))
                ((size=size/1024))
                echo $size
                sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
                dev="$(losetup -f)"
                sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs

                echo
                echo Enter a large string of random text below to setup the pre-encryption.
                echo
                sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

                echo
                echo Pre-encrypting entire squshfs with random data
                echo
                sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
                sync
                sync
                sync
                sync
                sudo cryptsetup close squash

                echo
                echo Enter the desired passphrase for the encrypted livecd below.
                echo
                sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

                echo
                echo Creating ext4 into encrypted container
                echo
                sudo mkfs.ext4 -m 0 /dev/mapper/squash
                sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt

                echo
                echo Moving unencrypted squashfs file into encrypted sqaushfs container
                echo
                sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
                sync
                sync
                sync
                sync
                sudo umount /tmp/livecd/mnt
                sudo cryptsetup close squash
                sudo losetup -d "$dev"

                echo
                echo Creating size and md5sum cd files
                echo
                echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
                find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt

                echo
                echo Creating grub.cfg for the livecd
                echo
                sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
                set default="0"
                set timeout=10

                menuentry "Ubuntu GUI from RAM" {
                linux /casper/vmlinuz boot=casper toram quiet
                initrd /casper/initrd.img
                }

                EOF'

                echo
                echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
                echo
                sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd





                share|improve this answer








                New contributor




                live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.










                Below is a 'one step' bash script that creates an encrypted bootable livecd from an existing Ubuntu installation. (Tested/Working on Ubuntu 18.10)



                Basically, the script copies the existing Ubuntu installation into a set of working directories at /tmp/livecd and:




                • Uses chroot to add casper to the installation

                • Modifies casper-helpers to add the encrypted squashfs booting functionality

                • Creates the inital unencrypted squashfs housing the entire file system

                • Uses a random string input to pre-encrypted a new encrypted squashfs file

                • Uses an entered passphrase to then setup the encrypted squashfs file, create an ext4 file system, and then copy over the unencrypted squashfs file into it

                • Finally, the entire encrypted bootable ISO is created at /tmp/livecd/live-cd.iso


                When the ISO is booted on the machine or in a VM, the encrypted squashfs is transfered completely into ram, the user is asked to enter the proper passphrase, and the squashfs is then unencrypted and used to boot the system.



                The rsync command line string can be modified to add/remove items that are copied from the existing Ubuntu installation when the encrypted livecd is being created.



                livecd.sh:



                #!/bin/bash

                echo
                echo Setting up /tmp/livecd
                echo
                sudo mkdir -p /tmp/livecd/cd/{casper,boot/grub} /tmp/livecd/chroot/rootfs /tmp/livecd/mnt

                echo
                echo Installing necessary packages
                echo
                sudo apt-get update
                sudo apt-get install -y grub2 xorriso squashfs-tools cryptsetup

                echo
                echo Copying over existing system
                echo
                sudo rsync -av --one-file-system --exclude=/swapfile --exclude=/proc/* --exclude=/dev/*
                --exclude=/sys/* --exclude=/tmp/* --exclude=/lost+found
                --exclude=/var/tmp/* --exclude=/boot/grub/* --exclude=/root/*
                --exclude=/var/mail/* --exclude=/var/spool/* --exclude=/media/*
                --exclude=/etc/fstab --exclude=/etc/mtab --exclude=/etc/hosts
                --exclude=/etc/timezone
                --exclude=/etc/X11/xorg.conf* --exclude=/etc/gdm/custom.conf
                --exclude=/etc/lightdm/lightdm.conf --exclude=/tmp/livecd/chroot/rootfs / /tmp/livecd/chroot/rootfs

                echo
                echo Setting up links to chroot
                echo
                sudo mount --bind /dev/ /tmp/livecd/chroot/rootfs/dev
                sudo mount -t proc proc /tmp/livecd/chroot/rootfs/proc
                sudo mount -t sysfs sysfs /tmp/livecd/chroot/rootfs/sys
                sudo mount -o bind /run /tmp/livecd/chroot/rootfs/run

                echo
                echo Processing chroot commands
                echo
                cat <<'ABC' | sudo chroot /tmp/livecd/chroot/rootfs /bin/bash
                LANG=
                apt-get update
                apt-get install -y casper lupin-casper
                cat >> /etc/cryptsetup-initramfs/conf-hook <<'DEF'
                CRYPTSETUP=Y
                DEF
                patch -d /usr/share/initramfs-tools/scripts /usr/share/initramfs-tools/scripts/casper-helpers <<'GHI'
                @@ -141,6 +141,13 @@
                losetup -o "$offset" "$dev" "$fspath"
                else
                losetup "$dev" "$fspath"
                + modprobe dm-crypt
                + mkdir /mnt
                + echo "Enter passphrase: " >&6
                + cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash >&6
                + mount -t ext4 /dev/mapper/squash /mnt
                + dev="$(losetup -f)"
                + losetup "$dev" /mnt/filesystem.squashfs
                fi
                echo "$dev"
                return 0
                GHI
                depmod -a $(uname -r)
                update-initramfs -u -k $(uname -r)
                apt autoremove
                apt clean
                find /var/log -regex '.*?[0-9].*?' -exec rm -v {} ;
                find /var/log -type f | while read file
                do
                cat /dev/null | tee $file
                done
                rm /etc/resolv.conf /etc/hostname
                exit
                ABC

                echo
                echo Copying chroot images to livecd
                echo
                export kversion=`cd /tmp/livecd/chroot/rootfs/boot && ls -1 vmlinuz-* | tail -1 | sed 's@vmlinuz-@@'`
                sudo cp -vp /tmp/livecd/chroot/rootfs/boot/vmlinuz-${kversion} /tmp/livecd/cd/casper/vmlinuz
                sudo cp -vp /tmp/livecd/chroot/rootfs/boot/initrd.img-${kversion} /tmp/livecd/cd/casper/initrd.img
                sudo cp -vp /tmp/livecd/chroot/rootfs/boot/memtest86+.bin /tmp/livecd/cd/boot

                echo
                echo Removing chroot links
                echo
                sudo umount /tmp/livecd/chroot/rootfs/proc
                sudo umount /tmp/livecd/chroot/rootfs/sys
                sudo umount /tmp/livecd/chroot/rootfs/dev

                echo
                echo Creating the squashfs file
                echo
                sudo mksquashfs /tmp/livecd/chroot/rootfs /tmp/livecd/filesystem.squashfs -noappend

                echo
                echo Setting up encrypted squashfs file
                echo
                size=$(du --block-size=1 /tmp/livecd/filesystem.squashfs | awk '{print $1}')
                ((size=size+size/10))
                ((size=size/1024))
                echo $size
                sudo dd if=/dev/zero of=/tmp/livecd/cd/casper/filesystem.squashfs bs=1024 count=$size status=progress
                dev="$(losetup -f)"
                sudo losetup "$dev" /tmp/livecd/cd/casper/filesystem.squashfs

                echo
                echo Enter a large string of random text below to setup the pre-encryption.
                echo
                sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

                echo
                echo Pre-encrypting entire squshfs with random data
                echo
                sudo dd if=/dev/zero of=/dev/mapper/squash bs=1M status=progress
                sync
                sync
                sync
                sync
                sudo cryptsetup close squash

                echo
                echo Enter the desired passphrase for the encrypted livecd below.
                echo
                sudo cryptsetup --type plain -c aes-xts-plain64 -h sha512 -s 512 open "$dev" squash

                echo
                echo Creating ext4 into encrypted container
                echo
                sudo mkfs.ext4 -m 0 /dev/mapper/squash
                sudo mount -t ext4 /dev/mapper/squash /tmp/livecd/mnt

                echo
                echo Moving unencrypted squashfs file into encrypted sqaushfs container
                echo
                sudo mv /tmp/livecd/filesystem.squashfs /tmp/livecd/mnt
                sync
                sync
                sync
                sync
                sudo umount /tmp/livecd/mnt
                sudo cryptsetup close squash
                sudo losetup -d "$dev"

                echo
                echo Creating size and md5sum cd files
                echo
                echo -n $(sudo du -s --block-size=1 /tmp/livecd/chroot/rootfs | tail -1 | awk '{print $1}') | sudo tee /tmp/livecd/cd/casper/filesystem.size
                find /tmp/livecd/cd -type f -print0 | sudo xargs -0 md5sum | sed "s@/tmp/livecd/cd@.@" | grep -v md5sum.txt | sudo tee -a /tmp/livecd/cd/md5sum.txt

                echo
                echo Creating grub.cfg for the livecd
                echo
                sudo bash -c 'cat > /tmp/livecd/cd/boot/grub/grub.cfg <<EOF
                set default="0"
                set timeout=10

                menuentry "Ubuntu GUI from RAM" {
                linux /casper/vmlinuz boot=casper toram quiet
                initrd /casper/initrd.img
                }

                EOF'

                echo
                echo Creating bootable ISO at /tmp/livecd for the now encrypted livecd
                echo
                sudo grub-mkrescue -o /tmp/livecd/live-cd.iso /tmp/livecd/cd






                share|improve this answer








                New contributor




                live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                share|improve this answer



                share|improve this answer






                New contributor




                live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 23 mins ago









                live.cdlive.cd

                1




                1




                New contributor




                live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                live.cd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1041916%2fbooting-encrypted-squashfs-from-live-cd%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    GameSpot

                    日野市

                    Tu-95轟炸機