Debian Live encrypted persistence

[/dev/null]

Thank you again dzz. I tried -dpkg -i yesterday with 4.0 a9, and luks-persistence didn't work. Thanks for the link to older version.
I think I found another bug: "--interactive shell" parameter doesn't work with "-d sid", lb build just skips it.

BTW maybe you can help me with this :
http://forums.debian.net/viewtopic.php?f=10&t=101246

[IxoT0b]

Hey,

this thread made it possible for me to create an encrypted persistent debian live system - thanks to all!

I am using live boot 4.0~a7-1 in a rebuilt initrd, debian wheezy with fluxbox on a sandisc cruzer xtreme 64 gb - it works perfectly fine.

If anything new comes up pls share!

[fsmithred]

If anything new comes up pls share!

Yeah, some new things have come up.

refracta2usb has been updated, and it uses live-boot 4.0~a7-1to rebuild the initrd so you can use encrypted loopback files for persistence or have a read/write media partition.
refracta2usb-0.9.5.deb
http://distro.ibiblio.org/refracta/files/Testing/

dzz has updated his patch-initrd script to use live-boot-4.0~alpha18. That hasn't been added to refracta2usb yet.
http://refracta.freeforums.org/alternat ... html#p3591

[AreYouLoco?]

If anything new comes up pls share!

Yeah, some new things have come up.

Off Topic

I don't want to be rude but #debian-live channel didn't helped me at all. They don't have to I know. But why for they are sitting on IRC? Nerds...

Yeah some brand new info. I am sure that some of you will be really happy of that URLs which I have received like I am. now

This is what you are looking for for a long time! It's distro called Freepto.

Main Download Page
Torrents: Torrent en_GB Torrent es_ES Torrent it_IT

Here is also their GIT repo: https://github.com/AvANa-BBS/freepto-lb
And for those who don't want download whole ISO just configs to make encrypted persistance:
git -c http.sslVerify=false clone https://v.licheni.net/stack/code/debianlive.git

I suggest you using that distro as a base of your encrypted system with persistence. It's seems reliable and secure I am testing it now.
No one can help you better than Italian hackers:D And now I am ready to contribute to this project.

P.S. The site is in Italian too. I used google translate for you. Works fine to get the needed informations. Enjoy!

[SeventhClaw]

Hey there, thanks to this thread and the live-build manual I finally got encrypted persistence to work with wheezy live; figured I might as well post the steps I followed. All the official 7.5.0 live images miss in the end is cryptsetup and live-boot 4.* (jessie/testing now has 4.0~alpha21-1).

So first I installed a full Debian 7.5 amd64 DVD1 XFCE copy in VirtualBox + sudo + a "user" user to build this image with; should be fully reproducible.

The goal was just to to produce a slightly more liberal version of the XFCE live CD ISO with encryption. This is pretty sloppy but the end result worked. There was only one conflict with a "plymouth" package following this procedure, seems to be a current issue. Also note I actually ran this only with "--source true", but don't see how that would change anything.

Code: Select all

# Prep
sudo apt-get install cryptsetup debtags git cdebootstrap live-build live-boot live-config --yes
# Restart just in case

sudo -s

# Get stock config
cd /home/user
rm -rf live-images && mkdir live-images && cd live-images
lb config --config git://live.debian.net/git/live-images.git
cd images/xfce-desktop
lb clean

echo -e 'cryptsetup\n' > config/package-lists/custom.list.chroot
mkdir config/archives
echo -e 'deb http://ftp.ca.debian.org/debian/ jessie main contrib non-free' > config/archives/custom.list.chroot
echo -e 'Package: *\nPin: release n=wheezy\nPin-Priority: 990' > config/archives/custom.pref.chroot
# Note: jessie * pin must be -10; if set to 10 fails horribly
echo -e '\nPackage: *\nPin: release n=jessie\nPin-Priority: -10' >> config/archives/custom.pref.chroot
echo -e '\nPackage: live-boot\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot
echo -e '\nPackage: live-boot-initramfs-tools\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot
# Not sure really need these below, but fails without live-boot-initramfs-tools above
echo -e '\nPackage: live-boot-backend\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot
echo -e '\nPackage: live-tools\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot

# Debian bug fix (for ~7.5.0 images):
# IF GET A CONFLICT ERROR with "plymouth" package upon 'lb build':
pico config/package-lists/desktop.list.chroot
# -> Remove all "plymouth*" packages and save

# Change stock config (wheezy & amd64 implied)
lb config --source false --bootstrap cdebootstrap --bootappend-live 'boot=live config quiet splash persistence persistence-encryption=none,luks' --mirror-bootstrap "http://ftp.ca.debian.org/debian/" --mirror-binary "http://ftp.ca.debian.org/debian/" --archive-areas "main contrib non-free"

# Build
lb build

# Transfer to USB (I didn't actually do this, I used the ISO as CD, but for reference...)
dd if=binary.hybrid.iso of=/dev/sdX bs=4M

# Then in a different VM with a blank disk (/dev/sda), 
# needs something along the lines of (warning: from memory)...
fdisk /dev/sda
# o, n, w
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 test
mkfs.ext2 -L persistence /dev/mapper/test
mkdir /mnt/test
mount /dev/mapper/test /mnt/test
echo '/ union,source=.' > persistence.conf
# Not sure this is necessary but did it anyway
chown -R user /mnt/test
chmod -R 755 /mnt/test
umount /mnt/test
cryptsetup luksClose test

# Restart with ISO or USB plugged in, same machine as disk above, enter password when prompted... 

... Persistence!

[CampNowhere]

I figured out how to do it, consistently!

I used Debian 8.

Install live-build.

There is a file that is installed with live-build that must be modified (as of this writing).

Code: Select all

/usr/lib/live/build/chroot_hacks

There is a line, around 79 or so, that looks like this:

Code: Select all

Chroot chroot "${UPDATE_INITRAMFS_OPTIONS} update-initramfs -k all -t -u"

We want to make it look like this:

Code: Select all

Chroot chroot "${UPDATE_INITRAMFS_OPTIONS} CRYPTSETUP=y update-initramfs -k all -t -u"

(Apparently this is fixed in the latest version of live-build, but that version has not hit any repos yet, and this is given as a workaround)

Now, set up your live build directory as normal. There are a couple things, however that we must be conscious of. First, we need to open up config/binary and find the setting called LB_BOOTAPPEND_LIVE. Leave the list of normal parameters, but make sure it contains the following: 'persistence persistence-encryption=none,luks'. Finally, in one of your config/package-lists/*.list.chroot files, make sure that cryptsetup is installed, at the very least.

Build your iso! Mind you, I've only tested the above method with a hybrid iso, so mileage may vary in other modes. dd the iso and set up your encrypted store as documented elsewhere in this thread, and it should work.