Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • A archiso
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare
    • Locked Files
  • Issues 42
    • Issues 42
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 13
    • Merge requests 13
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Arch LinuxArch Linux
  • archiso
  • Merge requests
  • !217

Add support to generate encrypted images

  • Review changes

  • Download
  • Email patches
  • Plain diff
Closed Tallero Tallero requested to merge tallero/archiso:crypto into master Dec 08, 2021
  • Overview 1
  • Commits 200
  • Pipelines 253
  • Changes 18

Solves #156 (closed), # #181 (closed), #171 (closed) (partially).

# New values in profiledef.sh
airootfs_image_type:     ext4+squashfs+luks
                         squashfs+luks
                         erofs+luks
keys_image_type:         same values as above
keys_image_tool_options: same as airootfs_image_tool_options
buildmode:               keys  # when enabled produces the iso/image
                               # for the aforementioned dongle
encryption_key:          <file>
                         auto

New +luks airootfs image types are added to handle LUKS encrypted rootfs.

One between a key, a plain password or an activation dongle image is returned together with the main ISO if an encrypted image type is selected.

Encryption type is handled by the encryption_key variable.

When set to a file, it will use it for encryption.

When set to auto, it will encrypt the disk with a newly generated key.

When unset, the user is prompted to insert a plain-text password.

A new keys buildmode is added which builds an <iso_label>_KEYS ISO which automatically unlocks the system when physically attached to the computer.

A new variable for crypto kernel parameters has been added to bootloaders' configurations.

When encryption is enabled, public package list is (should be? do we want a ) removed from the ISO.

Depends on

  • !253 (closed).
  • !259 (closed).
  • mkinitcpio/mkinitcpio-archiso!25.
  • support on-file rootfs to support patch for cryptsetup's encrypt hook.

Currently superseeded by

  • !279 (closed)

Testing

  • Burn archlinux (AUR).
  • A PKGBUILD that builds this branch has been published as archiso-encryption (AUR) with preconfigured ebaseline and ereleng replicas in archiso-profiles (AUR)
Edited Sep 02, 2022 by Tallero Tallero
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: crypto