Skip to content

Producing (and distributing) encrypted ISOs

Rationale

At first I thought it would have been cool if mkarchiso had support to make ISOs that are able to boot LUKS-encrypted airootfs images.

Then I thought it would have been cooler if it also automatically produced a second ISO to be put on an USB drive or CDROM and to be used as a multi-function dongle which is also able to boot the system when connected.

Then I thought it would have been even cooler if we provided a simple way for users to produce private-ish install drives directly online and on AUR with simple names.

Use cases

  • For users:
    • Producing private install mediums.
    • Producing safer live desktop systems.
    • For new users:
      • Having access to a configuration for a safer system.
  • For developers:
    • Producing safer live developer-level systems.
    • Selling private install mediums.
  • Common
    • any downstream project would benefit from the extra security layer upstream.

Target:

  • Individuals or organizations willing to build encrypted modified installers by themselves for at most distribution in a closed or at least restricted environment.
  • Shops which are authorized to sell Arch merchandise, who could add the "pre-encrypted featureful install drive with dongle"* item to their stores so that one refer a nice startup kit to kids.
  • Individuals or organizations willing to use archiso as a practical tool to manage their systems as easily reproducible immutable snapshots.

Changes

To make that happen I'm proposing (!217 (closed)) to add and extend some new profiledef.sh fields

airootfs_image_type:     ext4+squashfs+luks
                         squashfs+luks
                         erofs+luks
keys_image_type:         same values as above
keys_image_tool_options: same as airootfs_image_tool_options
buildmode:               keys  # when enabled produces the iso/image
                               # for the aforementioned dongle
encryption_key:          <file>
                         auto

For users produce the profiles online, there is an IPython script which can be opened in a Jupyter notebook public online instance like those offered by Wikimedia or Google.

Notes

  • This MR depends on the encrypt hook-compatible branch of mkinitcpio-archiso, which depends on
  • the cryptsetup-nested-cryptkey AUR package, which you can interpret as my I don't know where to send it merge request to add "root on file" compatibility to cryptsetup's package encrypt hook;
  • it already includes !253 (closed).

Testing

A PKGBUILD that builds an ereleng, encrypted releng, has been published as archlinux (AUR).

Private-ish images can be built online with the IPython script in archiso-profiles-git and downloaded from Google Colab, currently only unencrypted profiles build with the provided script.

*I'd like proposals for other useful features it could be mostly be considered free to add to it i.e. bootloader, initramfs pre-configured for pxe.

Edited by Tallero Tallero
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information