In a previous message I described creating a non-partitioned bootable USB drive. My goal in doing that was to make a USB drive, which I could insert into (most) any random PC and boot to a functional Debian desktop. Into the root image I install Xfce, iceweasel, icedove, pidgin, xemacs, ssh, network-manager, and importantly cryptsetup. That gives me the tools I use 90% of the time in a 450MB squashfs image, which fits in my wallet. I also install various system rescue related stuff.
As before, I'm posting this in the hope that it helps somebody, or even better, that people help me to simplify this, or improve the robustness. Because I have icedove's mail cache, and other personal information stored on an easily loseable USB drive, I wanted to make sure my home directory was encrypted. I'm familiar with cryptsetup and LUKS, because that is what I use in several other applications. I decided the easiest way to do this would be with a disk image mounted as a loopback device, and then let cryptsetup handle it normally. First I created a disk image of the required size: dd if=/dev/zero of=encrypted.home bs=1M count=500 or whatever size you think is appropriate. Then setup the image as a loop device: losetup -f to get the next available loop device, probably /dev/loop0 losetup /dev/loop0 ./encrypted.home Now treat /dev/loop0 as you would any other hard drive partition as far as creating a luks partition and filesystem: cryptsetup luksFormat /dev/loop0 cryptsetup luksOpen /dev/loop0 luks.home and format it. I chose ext2 because it fast, but use whatever you want. Be sure to update the scripts below for other filesystems. mkfs.ext2 /dev/mapper/luks.home mount /dev/mapper/luks.home /mnt Create your home directory. Replace these with the appropriate username and uid. mkdir /mnt/user chown 1000.1000 /mnt/user chmod 755 /mnt/user At this point you can copy over any files you want in the encrypted home. Don't forget to update their permissions and ownerships. and to reverse the process: umount /mnt cryptsetup luksClose /dev/mapper/luks.home losetup -d /dev/loop0 Now, copy encrypted.home to the /live directory on the USB drive. I then put a script named 99crypt-home.sh into config/chroot_local-hooks to configure the live image: --8<---------------cut here---------------start------------->8--- #!/bin/sh update-rc.d losetup-home.sh start 23 S . echo >> /etc/fstab <<EOF /dev/mapper/home /home ext2 defaults,noatime 0 0 EOF --8<---------------cut here---------------end--------------->8--- That references the file losetup-home.sh which goes in chroot_local-includes/etc/init.d/losetup-home.sh --8<---------------cut here---------------start------------->8--- #!/bin/sh ### BEGIN INIT INFO # Provides: losetup-home # Required-Start: checkroot # Required-Stop: umountroot # Should-Start: udev devfsd # Should-Stop: udev devfsd # X-Start-Before: cryptdisks # Default-Start: S # Default-Stop: 0 6 # Short-Description: Setup early encrypted block devices. # Description: ### END INIT INFO CRYPTHOME="/live/image/live/encrypted.home" case "$1" in start) LOOP=`/sbin/losetup -f` /sbin/losetup $LOOP $CRYPTHOME echo "home $LOOP none luks,check,timeout" > /etc/crypttab ;; esac exit 0 --8<---------------cut here---------------end--------------->8--- >From this point (unless I'm forgetting a step) cryptsetup should figure out what to do during the boot process. At some point it will ask for your password to decrypt the luks partition. My system is configured to autologin to an Xfce desktop. I'm sure my scripts have lots of room for improvement, but the steps I've outlined work well for me. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
