Producing (and distributing) encrypted ISOs
At first I thought it would have been cool if
mkarchiso had support to make ISOs that
are able to boot LUKS-encrypted
Then I thought it would have been cooler if it also automatically produced a second ISO to be put on an USB drive or CDROM and to be used as a multi-function dongle which is also able to boot the system when connected.
Then I thought it would have been even cooler if we provided a simple way for users to produce private-ish install drives directly online and on AUR with simple names.
- For users:
- Producing private install mediums.
- Producing safer live desktop systems.
- For new users:
- Having access to a configuration for a safer system.
- For developers:
- Producing safer live developer-level systems.
- Selling private install mediums.
- any downstream project would benefit from the extra security layer upstream.
- Individuals or organizations willing to build encrypted modified installers by themselves for at most distribution in a closed or at least restricted environment.
- Shops which are authorized to sell Arch merchandise, who could add the "pre-encrypted featureful install drive with dongle"* item to their stores so that one refer a nice startup kit to kids.
- Individuals or organizations willing to use archiso as a practical tool to manage their systems as easily reproducible immutable snapshots.
To make that happen I'm proposing (!217 (closed)) to add and extend some new
keys_image_type: same values as above
keys_image_tool_options: same as airootfs_image_tool_options
buildmode: keys # when enabled produces the iso/image
# for the aforementioned dongle
For users produce the profiles online, there is an IPython script which can be opened in a Jupyter notebook public online instance like those offered by Wikimedia or Google.
- This MR depends on the
encrypthook-compatible branch of
mkinitcpio-archiso, which depends on
cryptsetup-nested-cryptkeyAUR package, which you can interpret as my I don't know where to send it merge request to add "root on file" compatibility to
- it already includes !253 (closed).
PKGBUILD that builds an
releng, has been published as
*I'd like proposals for other useful features it could be mostly be considered free to add to it i.e. bootloader, initramfs pre-configured for pxe.