After following up on the suggestions (and thinking some more), I am concluding that a bootable encrypted root filesystem is perhaps an over-kill for my need to have in one iso image a complete copy of my system (including the encrypted home) - the latter for example can be stored in an encrypted loop-back file easily enough.
For bootable root filesystem, indeed it seems possible (e.g. http://askubuntu.com/questions/95392/how-to-create-a-bootable-system-with-a-squashfs-root ), with the aid of live-boot and live-boot-initramfs-tools, etc. For myself though, for now this would be left a project for another day. Help and suggestions were much appreciated. On 3/10/14, Boryeu Mao <boryeu....@gmail.com> wrote: > I am running SL via 'livecd-iso-to-disk' from > XL-65-x86_64-2014-02-06-LiveDVD.iso, with an encrypted home. Although > my overlay is fairly large, I don't know (yet) the rate at which it > will grow but expect it to be full eventually, at which point the > system would become un-bootable (as it is abundantly pointed out in > the livecd-iso-do-disk man page). In preparation for such an > eventuality I made an iso of the system fashioned after the LiveDVD > iso; for this iso image, it would be simpler not to treat the home > directory separatly but to include it in the root filesystem, if that > could be encryted, thus my query. > > Thanks all for the replies - I will try to followup the pointers and > suggestions. > > Regards, > Boryeu > > On 3/10/14, David Sommerseth <sl+us...@lists.topphemmelig.net> wrote: >> On 07/03/14 18:33, Boryeu Mao wrote: >>> In building a bootable DVD image (in the manner of >>> SL-65-x86_64-2014-02-06-LiveDVD.iso), is it possible to encrypt the >>> system? If so, should the file LiveOS/squashfs.img be encrypted, or >>> the file ext3fs.img contained therein? and what other changes (for >>> example in the boot configuration) would be needed? Hopefully this >>> is a question not outside of the design goals. Thanks in advance for >>> any help/pointers. >> >> I've never thought of this need. I don't know if it's possible. The >> only thing which cannot be encrypted normally, is /boot. Grub does not >> support encryption, but as long as grub can load a kernel and initrd, >> the root fs can pretty much be encrypted. You just need to be sure the >> initrd contains the needed tools to decrypt the file system (such as >> cryptsetup and so on). Dracut has fairly good encryption support these >> days. So it should be possible. >> >> I'm sorry I don't have any wise pointers right now. >> >> >> -- >> kind regards, >> >> David Sommerseth >> >> >