Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Debian Live encrypted persistence
Debian Live encrypted persistence
I'm trying to setup encrypted persistent partition for Debian Live.
I'm using custom build made this way:
lb_config -d sid -b hdd --interactive-shell
the only one additional package is cryptsetup.
Persistence works well but only when persistent partition is non-encrypted.
For encrypted partition - I've got a prompt for password and everything, but changes disappear after reboot.
I tried method with encrypted partition and persistence.conf file in it's root (inside the file there's "/ union", and partition has label "persistence")
and the method with image file(persistence.conf file is in the root of image file called persistence, which is inside encrypted partition.
boot parameters are: persistence and persistence-encryption=luks
What am I doing wrong?
Does encrypted persistence work for anyone here?
I'm using custom build made this way:
lb_config -d sid -b hdd --interactive-shell
the only one additional package is cryptsetup.
Persistence works well but only when persistent partition is non-encrypted.
For encrypted partition - I've got a prompt for password and everything, but changes disappear after reboot.
I tried method with encrypted partition and persistence.conf file in it's root (inside the file there's "/ union", and partition has label "persistence")
and the method with image file(persistence.conf file is in the root of image file called persistence, which is inside encrypted partition.
boot parameters are: persistence and persistence-encryption=luks
What am I doing wrong?
Does encrypted persistence work for anyone here?
Re: Debian Live encrypted persistence
I never managed to, nor even heard of anybody who did, get Luks encryption working for persistence. I don't believe it actually works, If that's incorrect I too want to know the answer. I suspect what happens is, the persistence department gets opened but then lost further into the boot process.
The live-boot docs and man pages (squeeze) seem to say only AES is supported but I never tried that. Wheezy/sid docs refer to Luks but seem to be incomplete.
It is possible to use a "live-hook" initscript to activate a Luks /home partition or loopback file before login, that works for me. More details are posted at Refracta forums.
The live-boot docs and man pages (squeeze) seem to say only AES is supported but I never tried that. Wheezy/sid docs refer to Luks but seem to be incomplete.
It is possible to use a "live-hook" initscript to activate a Luks /home partition or loopback file before login, that works for me. More details are posted at Refracta forums.
-
- Posts: 1939
- Joined: 2006-04-21 11:19
- Location: Sol Sector
- Has thanked: 1 time
- Been thanked: 2 times
Re: Debian Live encrypted persistence
On what kind of drive is the persistent partition located?
Phil
Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Re: Debian Live encrypted persistence
@pcalvert
On the second partition of Debian Live pendrive
@dzz
Thank you for info. Bad news but still something. I will definitely check that hack.
Anyway here's one of my messages from Debian live mailing list. It points the moment in boot procedure when the possible bug occurs. Maybe someone more competent than me can make some use of it.
On the second partition of Debian Live pendrive
@dzz
Thank you for info. Bad news but still something. I will definitely check that hack.
Anyway here's one of my messages from Debian live mailing list. It points the moment in boot procedure when the possible bug occurs. Maybe someone more competent than me can make some use of it.
I checked /var/log/live/boot.log using debug as another boot parameter and I compared it to boot.log file extracted from another Debian Live pendrive on which persistent partition is NON-encrypted.
The interesting part is this:
At certain point of boot process all partitions are probed for filesystem label. For my NON-encrypted Debian Live it goes like this:
+ probe_for_fs_label live-rw home-rw persistence /dev/sdb2
+ local overlays dev
+ overlays=live-rw home-rw persistence
+ dev=/dev/sdb2
+ /sbin/blkid -s LABEL -o value /dev/sdb2
+ [ persistence = live-rw ]
+ /sbin/blkid -s LABEL -o value /dev/sdb2
+ [ persistence = home-rw ]
+ /sbin/blkid -s LABEL -o value /dev/sdb2
+ [ persistence = persistence ]
+ echo persistence=/dev/sdb2
+ result=persistence=/dev/sdb2
So as you can see my persistent partition label "persistence" matched one of the overlays: "persistence"
Now in the same place in boot.log file from Debian Live with encrypted partition it goes like this:
+ probe_for_fs_label live-rw home-rw persistence Loading /etc/boottime.kmap.gz /dev/mapper/sdb2
+ local overlays dev
+ overlays=live-rw home-rw persistence
+ dev=Loading
+ /sbin/blkid -s LABEL -o value Loading
+ [ = live-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = home-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = persistence ]
+ result=
+ [ -n ]
So it looks like the filesystem label is not set. But it is not true!
I double checked it:
I plugged the Debian live pendrive to my regular desktop Debian machine and run:
cryptsetup luksOpen /dev/sdb2 xxx (sdb2 is the luks-encrypted persistent partition)
e2label /dev/mapper/xxx
and the output is:
persistence
- kiyop
- Posts: 3983
- Joined: 2011-05-05 15:16
- Location: Where persons without desire to improve themselves fear to tread, in Japan
- Been thanked: 3 times
Re: Debian Live encrypted persistence
I do not know if the initramfs file of your live debian accepts some kernel options which enable the feature you want; encrypted persistent pertition.
What is done at booting is written in an initramfs file (initrd.img or so).
If you expand it, you will see a file init and you can analyze it. It calls another scripts, which also are able to be analyzed.
Modification on the files may do a trick.
Good luck!
What is done at booting is written in an initramfs file (initrd.img or so).
If you expand it, you will see a file init and you can analyze it. It calls another scripts, which also are able to be analyzed.
Modification on the files may do a trick.
Good luck!
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/
http://kiyoandkei.bbs.fc2.com/
Re: Debian Live encrypted persistence
I don't know exactly how to do itIf you expand it, you will see a file init
there are 2 initramfs:
initrd1.img and initrd2.img
I guess I should mount them first to see what is inside? But mount command prompts for filesystem type, and I don't know it
Midnight Commander's F3 button seem to open it in mostly human readable form, but I suppose it's not the way that it should be done.
- kiyop
- Posts: 3983
- Joined: 2011-05-05 15:16
- Location: Where persons without desire to improve themselves fear to tread, in Japan
- Been thanked: 3 times
Re: Debian Live encrypted persistence
You can extract (expand) the contents inside initrd1.img into a newly generated directory such as "initramfs" by executing the following:/dev/null wrote:I don't know exactly how to do itIf you expand it, you will see a file init
there are 2 initramfs:
initrd1.img and initrd2.img
I guess I should mount them first to see what is inside? But mount command prompts for filesystem type, and I don't know it
Code: Select all
mkdir initramfs && cd initramfs
gzip -dc PATH/TO/initrd1.img | cpio -i
If you do not know "absolute path" and/or "relative path", refer http://en.wikipedia.org/wiki/Path_%28computing%29
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/
http://kiyoandkei.bbs.fc2.com/
-
- Posts: 1939
- Joined: 2006-04-21 11:19
- Location: Sol Sector
- Has thanked: 1 time
- Been thanked: 2 times
Re: Debian Live encrypted persistence
You should read these articles:/dev/null wrote:@pcalvert
On the second partition of Debian Live pendrive
Solid State Drives And Encryption, A No-Go?
Seven Major Weaknesses with Software Encrypted USB Flash Drives
Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Re: Debian Live encrypted persistence
Already following that mailing list topic here, today the main man says it's on the TODO list and "patches welcome". So it doesn't work yet.
As far as I know a standard image has two kernel (one 486, one 686 or PAE) so 2x initrd. The problem probably is not in there.
The debug log shows what's going on but only as far as, apparently, the point where the mounts get transferred to the "real" FS (/lib/live/mounts/). Bash skills better than mine are needed to follow all of it. But your log snip does seem to show persistence being set at some point. What happens to it after, who knows.
cat /proc/mounts might give some clue, if anything beginning "/root/" is there, it didn't get moved properly and is no longer accessable. Another clue might be in /var/log/boot
BTW the initscript idea I mentioned is not actually a "hack", but a custom script, used with the existing live-hook mechanism provided for that purpose.
@pcalvert, thanks for those links, an interesting read. However a LUKS ext2 loopback file is probably about the best you can do for pen drive security (ext2 does less writes)
As far as I know a standard image has two kernel (one 486, one 686 or PAE) so 2x initrd. The problem probably is not in there.
The debug log shows what's going on but only as far as, apparently, the point where the mounts get transferred to the "real" FS (/lib/live/mounts/). Bash skills better than mine are needed to follow all of it. But your log snip does seem to show persistence being set at some point. What happens to it after, who knows.
cat /proc/mounts might give some clue, if anything beginning "/root/" is there, it didn't get moved properly and is no longer accessable. Another clue might be in /var/log/boot
BTW the initscript idea I mentioned is not actually a "hack", but a custom script, used with the existing live-hook mechanism provided for that purpose.
@pcalvert, thanks for those links, an interesting read. However a LUKS ext2 loopback file is probably about the best you can do for pen drive security (ext2 does less writes)
-
- Posts: 1939
- Joined: 2006-04-21 11:19
- Location: Sol Sector
- Has thanked: 1 time
- Been thanked: 2 times
Re: Debian Live encrypted persistence
A pen drive with built-in encryption would be even better. Not all of them are compatible with Linux, though.dzz wrote: @pcalvert, thanks for those links, an interesting read. However a LUKS ext2 loopback file is probably about the best you can do for pen drive security (ext2 does less writes)
Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Re: Debian Live encrypted persistence
In squeeze, my way of dealing with this was to make a small, unencrypted home-rw and a large encrypted partition. The encrypted partition gets mounted after logging in, and I keep my files there. Things like ~/.mozilla, ~/.gnupg and ~/.ssh are symlinked to the encrypted partition.
In wheezy, I'm using dzz's scripts, and I'm very happy with the way they work. I'm using a second partition instead of a loopback file for persistence. See this thread - http://refracta.freeforums.org/snapshot ... -t182.html
Put the scripts in /live/hooks, edit the boot line, and you're good to go. No need for persistence.conf or special labels, no need for rebuilding the initramfs. (Is that last part still true if you use a loopback file?)
BTW, the label on your persistence partition is not showing up, because the label is on the filesystem inside the encrypted volume. The system can't see the label until the encrypted volume is opened.
CAVEAT: I just noticed that I'm posting in the Beginners section, and this might not be beginners material. END CAVEAT
Be brave. Go for it. It's not difficult.
In wheezy, I'm using dzz's scripts, and I'm very happy with the way they work. I'm using a second partition instead of a loopback file for persistence. See this thread - http://refracta.freeforums.org/snapshot ... -t182.html
Put the scripts in /live/hooks, edit the boot line, and you're good to go. No need for persistence.conf or special labels, no need for rebuilding the initramfs. (Is that last part still true if you use a loopback file?)
BTW, the label on your persistence partition is not showing up, because the label is on the filesystem inside the encrypted volume. The system can't see the label until the encrypted volume is opened.
CAVEAT: I just noticed that I'm posting in the Beginners section, and this might not be beginners material. END CAVEAT
Be brave. Go for it. It's not difficult.
Re: Debian Live encrypted persistence
A persistence loopback file must be in a writable location. Because the live-media partition gets mounted RO that normally means, in a second partition.
Same goes with the luks-home "hook" method (which does not actually use persistence but replaces /home/user with a writable, custom one)
It's (unofficially) possible to hack live-boot scripts in the initrd to use different mount options though...
A loopback can be more flexible than an entire partition for persistence, e.g. you can use the partition for other things as well or even have multiple loopbacks for different purposes.
Beginners (and others who don't need extra capability) will find the ext2 dedicated partition method simpler.
Same goes with the luks-home "hook" method (which does not actually use persistence but replaces /home/user with a writable, custom one)
It's (unofficially) possible to hack live-boot scripts in the initrd to use different mount options though...
A loopback can be more flexible than an entire partition for persistence, e.g. you can use the partition for other things as well or even have multiple loopbacks for different purposes.
Beginners (and others who don't need extra capability) will find the ext2 dedicated partition method simpler.
Re: Debian Live encrypted persistence
Thank you all. I'll try to make it work and let you know about the results.
Re: Debian Live encrypted persistence
I have tested it and it works with lb from sid.
If you want help, then come on IRC @ irc.oftc.net #debian-live , and ask for help. The people there will be glad to assist you (including me)
If you want help, then come on IRC @ irc.oftc.net #debian-live , and ask for help. The people there will be glad to assist you (including me)
Last edited by haylo on 2013-02-12 16:51, edited 1 time in total.
Re: Debian Live encrypted persistence
no need for any "hacks"
it works, just takes a lot of research
it works, just takes a lot of research
Last edited by haylo on 2013-02-12 16:45, edited 6 times in total.
Re: Debian Live encrypted persistence
here i just posted the code. That way there is some online documentation of this.
### LUKS PERSISTENCE ###
## for debian live ##
# Copyright (c) 2012-2013 cgraff , haylo
# LIVE BUILD SYNTAX AND PROGRAM FROM: Baumann, Armstrong and Lamb
# THIS IS FREE CODE AS LONG AS THESE COMMENTS ARE INCLUDED
# WORK IN PROGRESS ... CHANGING until perfected
# BASIC LOW DOWN IS:
# 1 format the partition,
# 2 encrypt it with luks,
# 3 open it with luks,
# 4 make the filesystem,
# 5 mount it from /dev/mapper/* ,
# 6 populate the filesystem with a "persistence.conf" file,
# 7 un mount it,
# 8 close it with luks
# DEFINE SOME VARIABLES
# NOOBS TIP: the = sign assigns a value to a variable
devicel="/dev/sdb" # CHOOSE A DEVICE
usb_size="4gb" # TELL PARTED ITS SIZE
mirror="http://ftp.debian.org/debian/"
security_mirror="http://ftp.debian.org/debian-security/"
# MAKE THE IMAGE
# remember sid doesnt always build easily.
# going to need to learn a bit about live-build
# or make a live image with remastersys that includes `cryptsetup'
# LOOK TO: http://live.debian.net/manual/3.x/html/ ... al.en.html --/
# FOR ANSWERS ON GETTING YOUR BUILD WORKING CORRECTLY <---------------/
# NOOBS TIP: pin some stuff to wheezy for sid
sudo apt-get install live-build live-config live-config-doc \
cryptsetup --force-yes
mkdir -p ~/crypto_buildl
cd ~/crypto_buildl
lb config \
-a amd64 \
-b hdd \
-d sid \
--linux-flavours amd64 \
--bootstrap cdebootstrap \
--cdebootstrap-options "--flavour=minimal" \
--bootappend-live "\
boot=live \
config \
persistent=cryptsetup \
persistence-encryption=luks \
username=joe \
hostname=shmoe \
persistence" \
--apt-indices false \
--apt-recommends false \
--linux-packages linux-image-3.7-trunk \
--mirror-bootstrap "${mirror}" \
--mirror-binary "${mirror}" \
--mirror-chroot-security "${security_mirror}" \
--mirror-binary-security "${security_mirror}" &&
# THIS ADDS SOME USUAL DEPENDENCIES + CRYPTSETUP
printf "\
user-setup
sudo
cryptsetup
apt-utils
" > config/package-lists/package.list.chroot
# NOTICE 'cryptsetup"
# NOOBS TIP: add cryptsetup package
# PIN SOME PACKAGES TO WHEEZY
# NOOBS TIP: pin packages to other debian releases to get what you need
cat >> config/archives/sid.pref.chroot << EOF
# USER-SETUP
Package: user-setup
Pin: release n=wheezy
Pin-Priority: 600
# SYSLINU*
Package: syslinu*
Pin: release n=wheezy
Pin-Priority: 600
Package: *
Pin: release n=experimental
Pin-Priority: 1
EOF
# ADD WHEEZY REPOS FOR ABOVE PIN LIST
echo "deb "${mirror}" wheezy main" > \
config/archives/wheezy.list.chroot
# ADD WHEEZY REPOS FOR ABOVE PIN LIST
echo "deb "${mirror}" experimental main" > \
config/archives/experimental.list.chroot
# BUILD THE IMAGE
sudo lb build
# CHECK FOR BAD BLOCKS ON THE DEVICE
sudo badblocks -c 10240 -s -w -t random -v "${devicel}"
# OVERWRITE THE DEVICE WITH RANDOM DATA
sudo dd if=/dev/urandom of="${devicel}"
# DD THE binary.img to a usb
sudo dd if=binary.img of="${devicel}"
# THIS JUST TELLS PARTED WHERE TO START
# TO MAKE THE SDB2 PARTITION
read bytes _ < <(du -bcm binary.img |tail -1); echo $bytes
# MAKE THE PARTITION,
sudo parted "${devicel}" mkpart primary "${bytes}" "${usb_size}"
# ENCRYPT THE PARTITION
sudo cryptsetup --verbose --verify-passphrase luksFormat "${devicel}2"
# OPEN THE ENCRYPTED PARTITION
sudo cryptsetup luksOpen "${devicel}2" my_usb
# MAKE A FILESYSTEM ON IT AND LABEL IT "persistence"
sudo mkfs.ext3 -L persistence /dev/mapper/my_usb
# MAKE A MOUNT POINT
sudo mkdir -p /mnt/my_usb
# MOUNT THE OPENED ENCYRYPTION PARTITION
sudo mount /dev/mapper/my_usb /mnt/my_usb/
# MAKE THE PERSISTENCE.CONF FILE
echo "/ union" > ~/persistence.conf && sudo mv ~/persistence.conf \
/persistence.conf && sudo mv /persistence.conf /mnt/my_usb
# UMOUNT IT
sudo umount /dev/mapper/my_usb
# CLOSE THE LUKS PARTITION
sudo cryptsetup luksClose /dev/mapper/my_usb
# TEST IT
sudo apt-get install qemu --force-yes
sudo kvm "${devicel}"
### LUKS PERSISTENCE ###
## for debian live ##
# Copyright (c) 2012-2013 cgraff , haylo
# LIVE BUILD SYNTAX AND PROGRAM FROM: Baumann, Armstrong and Lamb
# THIS IS FREE CODE AS LONG AS THESE COMMENTS ARE INCLUDED
# WORK IN PROGRESS ... CHANGING until perfected
# BASIC LOW DOWN IS:
# 1 format the partition,
# 2 encrypt it with luks,
# 3 open it with luks,
# 4 make the filesystem,
# 5 mount it from /dev/mapper/* ,
# 6 populate the filesystem with a "persistence.conf" file,
# 7 un mount it,
# 8 close it with luks
# DEFINE SOME VARIABLES
# NOOBS TIP: the = sign assigns a value to a variable
devicel="/dev/sdb" # CHOOSE A DEVICE
usb_size="4gb" # TELL PARTED ITS SIZE
mirror="http://ftp.debian.org/debian/"
security_mirror="http://ftp.debian.org/debian-security/"
# MAKE THE IMAGE
# remember sid doesnt always build easily.
# going to need to learn a bit about live-build
# or make a live image with remastersys that includes `cryptsetup'
# LOOK TO: http://live.debian.net/manual/3.x/html/ ... al.en.html --/
# FOR ANSWERS ON GETTING YOUR BUILD WORKING CORRECTLY <---------------/
# NOOBS TIP: pin some stuff to wheezy for sid
sudo apt-get install live-build live-config live-config-doc \
cryptsetup --force-yes
mkdir -p ~/crypto_buildl
cd ~/crypto_buildl
lb config \
-a amd64 \
-b hdd \
-d sid \
--linux-flavours amd64 \
--bootstrap cdebootstrap \
--cdebootstrap-options "--flavour=minimal" \
--bootappend-live "\
boot=live \
config \
persistent=cryptsetup \
persistence-encryption=luks \
username=joe \
hostname=shmoe \
persistence" \
--apt-indices false \
--apt-recommends false \
--linux-packages linux-image-3.7-trunk \
--mirror-bootstrap "${mirror}" \
--mirror-binary "${mirror}" \
--mirror-chroot-security "${security_mirror}" \
--mirror-binary-security "${security_mirror}" &&
# THIS ADDS SOME USUAL DEPENDENCIES + CRYPTSETUP
printf "\
user-setup
sudo
cryptsetup
apt-utils
" > config/package-lists/package.list.chroot
# NOTICE 'cryptsetup"
# NOOBS TIP: add cryptsetup package
# PIN SOME PACKAGES TO WHEEZY
# NOOBS TIP: pin packages to other debian releases to get what you need
cat >> config/archives/sid.pref.chroot << EOF
# USER-SETUP
Package: user-setup
Pin: release n=wheezy
Pin-Priority: 600
# SYSLINU*
Package: syslinu*
Pin: release n=wheezy
Pin-Priority: 600
Package: *
Pin: release n=experimental
Pin-Priority: 1
EOF
# ADD WHEEZY REPOS FOR ABOVE PIN LIST
echo "deb "${mirror}" wheezy main" > \
config/archives/wheezy.list.chroot
# ADD WHEEZY REPOS FOR ABOVE PIN LIST
echo "deb "${mirror}" experimental main" > \
config/archives/experimental.list.chroot
# BUILD THE IMAGE
sudo lb build
# CHECK FOR BAD BLOCKS ON THE DEVICE
sudo badblocks -c 10240 -s -w -t random -v "${devicel}"
# OVERWRITE THE DEVICE WITH RANDOM DATA
sudo dd if=/dev/urandom of="${devicel}"
# DD THE binary.img to a usb
sudo dd if=binary.img of="${devicel}"
# THIS JUST TELLS PARTED WHERE TO START
# TO MAKE THE SDB2 PARTITION
read bytes _ < <(du -bcm binary.img |tail -1); echo $bytes
# MAKE THE PARTITION,
sudo parted "${devicel}" mkpart primary "${bytes}" "${usb_size}"
# ENCRYPT THE PARTITION
sudo cryptsetup --verbose --verify-passphrase luksFormat "${devicel}2"
# OPEN THE ENCRYPTED PARTITION
sudo cryptsetup luksOpen "${devicel}2" my_usb
# MAKE A FILESYSTEM ON IT AND LABEL IT "persistence"
sudo mkfs.ext3 -L persistence /dev/mapper/my_usb
# MAKE A MOUNT POINT
sudo mkdir -p /mnt/my_usb
# MOUNT THE OPENED ENCYRYPTION PARTITION
sudo mount /dev/mapper/my_usb /mnt/my_usb/
# MAKE THE PERSISTENCE.CONF FILE
echo "/ union" > ~/persistence.conf && sudo mv ~/persistence.conf \
/persistence.conf && sudo mv /persistence.conf /mnt/my_usb
# UMOUNT IT
sudo umount /dev/mapper/my_usb
# CLOSE THE LUKS PARTITION
sudo cryptsetup luksClose /dev/mapper/my_usb
# TEST IT
sudo apt-get install qemu --force-yes
sudo kvm "${devicel}"
Re: Debian Live encrypted persistence
Good to hear luks persistence works with official packages only, even if only for sid. The hook script mentioned earlier was only ever done, for wheezy, because the official stuff did not.
However in wheezy we are already advised to use live-* packages from sid.. What is the difference that it does not work for wheezy and how can it be made to?
Looking changelogs for live-boot, live-config and live-build in experimental I see no mention of luks persistence in any recent stuff.
However in wheezy we are already advised to use live-* packages from sid.. What is the difference that it does not work for wheezy and how can it be made to?
Looking changelogs for live-boot, live-config and live-build in experimental I see no mention of luks persistence in any recent stuff.
Re: Debian Live encrypted persistence
Code: Select all
apt-cache policy live-boot
live-boot:
Installed: 3.0~a35-1
Candidate: 3.0.0-1
Version table:
4.0~a5-1 0
1 http://debian.lcs.mit.edu/debian/ experimental/main amd64 Packages
3.0.0-1 0
500 http://debian.lcs.mit.edu/debian/ sid/main amd64 Packages
*** 3.0~a35-1 0
500 http://debian.lcs.mit.edu/debian/ wheezy/main amd64 Packages
100 /var/lib/dpkg/status
Re: Debian Live encrypted persistence
Some details of a live usb set up here:
part1: FAT32 with syslinux and a custom Wheezy live image. All live-* packages are very recent sid. Tested and works normally (including with non-luks persistence). Image includes cryptsetup.
part2: LUKS volume containing a EXT2 filesystem labelled "persistence". Contains a file "persistence.conf" with text "/ union,sources=."
cmdline includes: " persistence persistence-encryption=luks " Very early in the boot process the luks key was prompted for.
In the live session: It is already mapped but not mounted according to <blkid> and <cat /proc/mounts> It can be mounted manually without needing luks key again. It is certainly is not being used for persistence.
If "debug" is added to the cmdline everything freezes after the first 3 screens. Power button is the only way out.. Not even busybox. No clue why and no log to save.
The actual live* packages still don't work for luks persistence in wheezy (custom hook script does) I don't know what is different about a sid build (except that every day, it is different, yesterday's is already outdated)
EDIT <man live-boot>
EDIT2:
part1: FAT32 with syslinux and a custom Wheezy live image. All live-* packages are very recent sid. Tested and works normally (including with non-luks persistence). Image includes cryptsetup.
Code: Select all
:~$ dpkg -l|grep live-
ii live-boot 3.0~b11-1 all Live System Boot Scripts
ii live-boot-doc 3.0~b11-1 all Live System Boot Scripts (documentation)
ii live-boot-initramfs-tools 3.0~b11-1 all Live System Boot Scripts (initramfs-tools backend)
ii live-config 3.0.18-1 all Live System Configuration Scripts
ii live-config-doc 3.0.18-1 all Live System Configuration Scripts (documentation)
ii live-config-sysvinit 3.0.18-1 all Live System Configuration Scripts (sysvinit backend)
ii live-tools 3.0.17-1 all Live System Support Scripts
cmdline includes: " persistence persistence-encryption=luks " Very early in the boot process the luks key was prompted for.
In the live session: It is already mapped but not mounted according to <blkid> and <cat /proc/mounts> It can be mounted manually without needing luks key again. It is certainly is not being used for persistence.
If "debug" is added to the cmdline everything freezes after the first 3 screens. Power button is the only way out.. Not even busybox. No clue why and no log to save.
The actual live* packages still don't work for luks persistence in wheezy (custom hook script does) I don't know what is different about a sid build (except that every day, it is different, yesterday's is already outdated)
EDIT <man live-boot>
.persistence-encryption=TYPE1,TYPE2 ... TYPEn
This option determines which types of encryption that we allow to be used
when probing devices for persistence media. If "none" is in the list, we
allow unencrypted media; if "luks" is in the list, we allow LUKS-encrypted
media. Whenever a device containing encrypted media is probed the user will
be prompted for the passphrase. The default value is "none"
EDIT2:
Looking forward to that so "hacks" are no longer necessary.. thanks Debian-Live devs for your good work.# WORK IN PROGRESS ... CHANGING until perfected
Re: Debian Live encrypted persistence
I've got exactly the same results for custom sidLUKS volume containing a EXT2 filesystem labelled "persistence". Contains a file "persistence.conf" with text "/ union,sources=."
cmdline includes: " persistence persistence-encryption=luks " Very early in the boot process the luks key was prompted for.
In the live session: It is already mapped but not mounted according to <blkid> and <cat /proc/mounts> It can be mounted manually without needing luks key again. It is certainly is not being used for persistence.
Right after password check there's an error:
Code: Select all
mount: mounting Loading on live/persistence/Loading failed : no such device
Code: Select all
+ probe_for_fs_label live-rw home-rw persistence Loading /etc/boottime.kmap.gz /dev/mapper/sdb2
+ local overlays dev
+ overlays=live-rw home-rw persistence
+ dev=Loading
+ /sbin/blkid -s LABEL -o value Loading
+ [ = live-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = home-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = persistence ]
+ result=
+ [ -n ]
again, same hereIf "debug" is added to the cmdline everything freezes after the first 3 screens. Power button is the only way out.. Not even busybox. No clue why and no log to save.
last displayed line is
Code: Select all
uhci_hcd: USB Universal Host Controller Interface driver
Code: Select all
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
I can't see it in man live-boot.
Tomorrow I'll try debian live irc channel