[Bug 1215504] Re: allow luks encrypted casper-rw persistent file (patch)

Glenn Washburn 1215504 at bugs.launchpad.net
Sat Feb 11 05:02:08 UTC 2017 

An updated post of what needs to be done for yakkety (16.10) is at:
https://archimedesden.wordpress.com/2017/01/09/encrypted-persistent-ubuntu-livecd-16-10-redux/

It seems trivial to have this included in the iso.  Most of the work of
figuring out what changes to make have been done, so what's the down-
side?  It looks like recent isos do not include dm-crypt nor cryptsetup
as the blog post alludes to.  So they need to be added back, but its not
that much extra data.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to casper in Ubuntu.
https://bugs.launchpad.net/bugs/1215504

Title:
  allow luks encrypted casper-rw persistent file (patch)

Status in casper package in Ubuntu:
  Triaged

Bug description:
  Currently the casper-rw persistent file can not be an encrypted
  container.  The distribution livecd would be a more valuable product,
  if it allowed persistence to an encrypted container.  The persistence
  feature of the livecd is very likely to be used on removable media,
  such as a usb flash drive.  These are generally small and thus easily
  lost or misplaced.  This could prove to be a security issue if it
  contains sensitive data.

  I've attached a patch which allows casper to detect when the casper-rw
  file is a luks encrypted container.  It will then ask the user for the
  password, unlock the container, and use the unencrypted device as if
  it were an unencrypted casper-rw.  This is a basic, self-contained
  solution to this issue.

  A better solution would be to re-use the "setup_mapping" function in
  /scripts/local-top/cryptroot from initramfstools to setup the crypto
  device.  However, it is currently not possible to source this function
  from another script because cryptroot calls "exit".

  What this patch does not support:
  * using a keyfile to decrypt the luks device
  * support for persistent, encrypted device partitions (must use an encrypted file on a supported filesystem)
  * support for other encrypted container formats (true-crypt, loop-aes, etc..)

  Reference:
  * http://ubuntuforums.org/showthread.php?t=1044182
  * http://ubuntuforums.org/showthread.php?t=1171612

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/casper/+bug/1215504/+subscriptions

More information about the foundations-bugs mailing list