After following up on the suggestions (and thinking some more), I am
concluding that a bootable encrypted root filesystem is perhaps an
over-kill for my need to have in one iso image a complete copy of my
system (including the encrypted home) - the latter for example can be
stored in an encrypted loop-back file easily enough.
For bootable root filesystem, indeed it seems possible (e.g.
http://askubuntu.com/questions/95392/how-to-create-a-bootable-system-with-a-squashfs-root
), with the aid of live-boot and live-boot-initramfs-tools, etc. For
myself though, for now this would be left a project for another day.
Help and suggestions were much appreciated.
On 3/10/14, Boryeu Mao boryeu@gmail.com wrote:
I am running SL via 'livecd-iso-to-disk' from
XL-65-x86_64-2014-02-06-LiveDVD.iso, with an encrypted home. Although
my overlay is fairly large, I don't know (yet) the rate at which it
will grow but expect it to be full eventually, at which point the
system would become un-bootable (as it is abundantly pointed out in
the livecd-iso-do-disk man page). In preparation for such an
eventuality I made an iso of the system fashioned after the LiveDVD
iso; for this iso image, it would be simpler not to treat the home
directory separatly but to include it in the root filesystem, if that
could be encryted, thus my query.
Thanks all for the replies - I will try to followup the pointers and
suggestions.
Regards,
Boryeu
On 3/10/14, David Sommerseth sl+us...@lists.topphemmelig.net wrote:
On 07/03/14 18:33, Boryeu Mao wrote:
In building a bootable DVD image (in the manner of
SL-65-x86_64-2014-02-06-LiveDVD.iso), is it possible to encrypt the
system? If so, should the file LiveOS/squashfs.img be encrypted, or
the file ext3fs.img contained therein? and what other changes (for
example in the boot configuration) would be needed? Hopefully this
is a question not outside of the design goals. Thanks in advance for
any help/pointers.
I've never thought of this need. I don't know if it's possible. The
only thing which cannot be encrypted normally, is /boot. Grub does not
support encryption, but as long as grub can load a kernel and initrd,
the root fs can pretty much be encrypted. You just need to be sure the
initrd contains the needed tools to decrypt the file system (such as
cryptsetup and so on). Dracut has fairly good encryption support these
days. So it should be possible.
I'm sorry I don't have any wise pointers right now.
--
kind regards,
David Sommerseth