Debian Live encrypted persistence

[dzz]

no need for any "hacks"
it works, just takes a lot of research

Those of us who did plenty research, still failed and only then resorted to "hacks" remain mystified.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700902

The good news is: live-boot_4.0~a7-1_all.deb, which made experimental only today, actually does work. The fix is also noted in the changelog.

I just tested it using an existing custom wheezy image, booted from a rebuilt initrd containing the new stuff in /lib/live/

You can replace just the initrd in /live of a syslinux-type usb setup, maybe not if you use the less flexible dd method (IMO totally inflexible because the device is then useless for normal data storage)

There is still a problem: if you use "debug" on the cmdline (to get a full boot log) with luks the system will hang early on (and the log can't be saved)

[pcalvert]

As an alternative, what about creating a "Data" or "Documents" directory inside one's home directory and then encrypting that with eCryptfs?

Phil

[dzz]

As an alternative, what about creating a "Data" or "Documents" directory inside one's home directory and then encrypting that with eCryptfs?

A good option for actual data files but dot files also containing personal data would still be unencrypted. (voip account, mail client, browser ,,,)

Pendrives are easily lost or stolen; proper luks persistence is important for "travelling OS" security. We're close to getting it sorted.

[/dev/null]

great news, thank you

I just tested it using an existing custom wheezy image, booted from a rebuilt initrd containing the new stuff in /lib/live/

how to rebuild initrd with new live-boot?
or how make wheezy or sid build with live-boot from experimental?

[dzz]

how to rebuild initrd with new live-boot?

Initrd hacking, sid/experimental and live-image building are not really "Beginners Questions" material. The bottom line is, LUKS persistence doesn't work (yet) in the "mainstream". However you did ask.

Extract an initrd:

Code: Select all

# make a directory, copy into it the original initrd
# open a terminal, cd to that directory

INITRD=name_of_original_initrd
mkdir ./uz
cd uz
fakeroot zcat ../$INITRD | cpio -i

Now it's extracted you can change things.

/lib/live/ contains the live-boot scripts. what I did was replace everything in there with the new stuff from the previously extracted .deb

Rebuild it:

Code: Select all

cd uz
fakeroot find . -print0 | cpio -0 -H newc -o | gzip -c > ../initrd.rebuilt

Use initrd.rebuilt to boot with (rename it or edit the menu)

I'm not saying this is the "right" way to do things, nor is this a "recommendation" Just trying to find my own way through that which is about as clear as mud. And I'm working with wheezy not sid.

I'm sure this stuff will be sorted officially in due course (getting a bit late to make wheezy in time though)

[/dev/null]

It's working
thank you dzz

[/dev/null]

It's working

Well - not anymore
They must messed something up with the new versions of boot scripts. It seem that scripts from experimental doesn't fit wheezy/sid builds anymore.

[llivv]

They must messed something up with the new versions of boot scripts. It seem that scripts from experimental

is there a new feature in the version from experimental you wanted to try?

posting which versions worked for you
and which version don't work for you
helps a lot more than telling us that they messed up in experimental.

[/dev/null]

I'm talking about luks-encrypted persistence partition in Debian live.
There was a bug in live-boot that causes the luks-encrypted partitions aren't properly detected and cannot be used for persistence. They fixed it recently in live-boot 4.0, but it is still in experimental.
Since building an experimental live image isn't the best idea, "dzz" suggested to just put newest boot scripts from live-boot 4.0.deb package directly into previously built wheezy's/sid's initrd.img.
This method worked great a month ago, but yesterday when I tried it again, the system stuck somewhere during the boot procedure.
It seems that developers changed the newest (4.0) boot scripts in such way that they aren't compatible with wheezy/sid builds anymore.
I tried to install whole experimental live-boot 4.0 package (to overwrite default buggy 3.0) using "--interactive shell" in lb config. I changed repos to experimental but apt-get update doesn't seem to work as it should.
apt-get install live-boot - says that the package is already in the newest version, but it isn't - apt-cache policy live-boot clearly states that the installed version is 3.0.

So if anyone could tell me how to install live-boot from experimental during wheezy/sid build procedure I would be very grateful

[dzz]

Experimental is just that, "experimental". It can change fast. Sometimes stuff is broken, or there might be undocumented changes. You need to be *very* selective what you use from there and without expectations. You might break something else unexpectedly.

That's why I preferred just a custom initrd to actually installing experimental packages. (revised) Just replace the entire /lib/live directory

live-boot 4.0~a9-1 is current. I got a kernel panic using an initrd rebuilt with that. I don't know if it's actually broken or something I did wrong.

You can find 4.0~a7-1 (we know that works) here:

http://snapshot.debian.org/binary/live-boot/
http://snapshot.debian.org/package/live-boot/4.0~a7-1/

BTW luks loopback files still don't work (there is a patch for that)

I use custom build scripts in preference to official live-build so can't help much with that. Rather than use the repo for one package (I think it's <apt-get -t experimental install>) I would dpkg -i the deb.. or just do the custom initrd after build

[/dev/null]

Thank you again dzz. I tried -dpkg -i yesterday with 4.0 a9, and luks-persistence didn't work. Thanks for the link to older version.
I think I found another bug: "--interactive shell" parameter doesn't work with "-d sid", lb build just skips it.

BTW maybe you can help me with this :
http://forums.debian.net/viewtopic.php?f=10&t=101246

[IxoT0b]

Hey,

this thread made it possible for me to create an encrypted persistent debian live system - thanks to all!

I am using live boot 4.0~a7-1 in a rebuilt initrd, debian wheezy with fluxbox on a sandisc cruzer xtreme 64 gb - it works perfectly fine.

If anything new comes up pls share!

[fsmithred]

If anything new comes up pls share!

Yeah, some new things have come up.

refracta2usb has been updated, and it uses live-boot 4.0~a7-1to rebuild the initrd so you can use encrypted loopback files for persistence or have a read/write media partition.
refracta2usb-0.9.5.deb
http://distro.ibiblio.org/refracta/files/Testing/

dzz has updated his patch-initrd script to use live-boot-4.0~alpha18. That hasn't been added to refracta2usb yet.
http://refracta.freeforums.org/alternat ... html#p3591

[AreYouLoco?]

If anything new comes up pls share!

Yeah, some new things have come up.

Off Topic

I don't want to be rude but #debian-live channel didn't helped me at all. They don't have to I know. But why for they are sitting on IRC? Nerds...

Yeah some brand new info. I am sure that some of you will be really happy of that URLs which I have received like I am. now

This is what you are looking for for a long time! It's distro called Freepto.

Main Download Page
Torrents: Torrent en_GB Torrent es_ES Torrent it_IT

Here is also their GIT repo: https://github.com/AvANa-BBS/freepto-lb
And for those who don't want download whole ISO just configs to make encrypted persistance:
git -c http.sslVerify=false clone https://v.licheni.net/stack/code/debianlive.git

I suggest you using that distro as a base of your encrypted system with persistence. It's seems reliable and secure I am testing it now.
No one can help you better than Italian hackers:D And now I am ready to contribute to this project.

P.S. The site is in Italian too. I used google translate for you. Works fine to get the needed informations. Enjoy!

[SeventhClaw]

Hey there, thanks to this thread and the live-build manual I finally got encrypted persistence to work with wheezy live; figured I might as well post the steps I followed. All the official 7.5.0 live images miss in the end is cryptsetup and live-boot 4.* (jessie/testing now has 4.0~alpha21-1).

So first I installed a full Debian 7.5 amd64 DVD1 XFCE copy in VirtualBox + sudo + a "user" user to build this image with; should be fully reproducible.

The goal was just to to produce a slightly more liberal version of the XFCE live CD ISO with encryption. This is pretty sloppy but the end result worked. There was only one conflict with a "plymouth" package following this procedure, seems to be a current issue. Also note I actually ran this only with "--source true", but don't see how that would change anything.

Code: Select all

# Prep
sudo apt-get install cryptsetup debtags git cdebootstrap live-build live-boot live-config --yes
# Restart just in case

sudo -s

# Get stock config
cd /home/user
rm -rf live-images && mkdir live-images && cd live-images
lb config --config git://live.debian.net/git/live-images.git
cd images/xfce-desktop
lb clean

echo -e 'cryptsetup\n' > config/package-lists/custom.list.chroot
mkdir config/archives
echo -e 'deb http://ftp.ca.debian.org/debian/ jessie main contrib non-free' > config/archives/custom.list.chroot
echo -e 'Package: *\nPin: release n=wheezy\nPin-Priority: 990' > config/archives/custom.pref.chroot
# Note: jessie * pin must be -10; if set to 10 fails horribly
echo -e '\nPackage: *\nPin: release n=jessie\nPin-Priority: -10' >> config/archives/custom.pref.chroot
echo -e '\nPackage: live-boot\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot
echo -e '\nPackage: live-boot-initramfs-tools\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot
# Not sure really need these below, but fails without live-boot-initramfs-tools above
echo -e '\nPackage: live-boot-backend\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot
echo -e '\nPackage: live-tools\nPin: release n=jessie\nPin-Priority: 995' >> config/archives/custom.pref.chroot

# Debian bug fix (for ~7.5.0 images):
# IF GET A CONFLICT ERROR with "plymouth" package upon 'lb build':
pico config/package-lists/desktop.list.chroot
# -> Remove all "plymouth*" packages and save

# Change stock config (wheezy & amd64 implied)
lb config --source false --bootstrap cdebootstrap --bootappend-live 'boot=live config quiet splash persistence persistence-encryption=none,luks' --mirror-bootstrap "http://ftp.ca.debian.org/debian/" --mirror-binary "http://ftp.ca.debian.org/debian/" --archive-areas "main contrib non-free"

# Build
lb build

# Transfer to USB (I didn't actually do this, I used the ISO as CD, but for reference...)
dd if=binary.hybrid.iso of=/dev/sdX bs=4M

# Then in a different VM with a blank disk (/dev/sda), 
# needs something along the lines of (warning: from memory)...
fdisk /dev/sda
# o, n, w
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 test
mkfs.ext2 -L persistence /dev/mapper/test
mkdir /mnt/test
mount /dev/mapper/test /mnt/test
echo '/ union,source=.' > persistence.conf
# Not sure this is necessary but did it anyway
chown -R user /mnt/test
chmod -R 755 /mnt/test
umount /mnt/test
cryptsetup luksClose test

# Restart with ISO or USB plugged in, same machine as disk above, enter password when prompted... 

... Persistence!

[CampNowhere]

I figured out how to do it, consistently!

I used Debian 8.

Install live-build.

There is a file that is installed with live-build that must be modified (as of this writing).

Code: Select all

/usr/lib/live/build/chroot_hacks

There is a line, around 79 or so, that looks like this:

Code: Select all

Chroot chroot "${UPDATE_INITRAMFS_OPTIONS} update-initramfs -k all -t -u"

We want to make it look like this:

Code: Select all

Chroot chroot "${UPDATE_INITRAMFS_OPTIONS} CRYPTSETUP=y update-initramfs -k all -t -u"

(Apparently this is fixed in the latest version of live-build, but that version has not hit any repos yet, and this is given as a workaround)

Now, set up your live build directory as normal. There are a couple things, however that we must be conscious of. First, we need to open up config/binary and find the setting called LB_BOOTAPPEND_LIVE. Leave the list of normal parameters, but make sure it contains the following: 'persistence persistence-encryption=none,luks'. Finally, in one of your config/package-lists/*.list.chroot files, make sure that cryptsetup is installed, at the very least.

Build your iso! Mind you, I've only tested the above method with a hybrid iso, so mileage may vary in other modes. dd the iso and set up your encrypted store as documented elsewhere in this thread, and it should work.