Add support to generate encrypted images (!217) · Merge requests · Arch Linux / archiso

Closed Tallero Tallero requested to merge tallero/archiso:crypto into master Dec 08, 2021

Solves #156 (closed), # #181 (closed), #171 (closed) (partially).

# New values in profiledef.sh
airootfs_image_type:     ext4+squashfs+luks
                         squashfs+luks
                         erofs+luks
keys_image_type:         same values as above
keys_image_tool_options: same as airootfs_image_tool_options
buildmode:               keys  # when enabled produces the iso/image
                               # for the aforementioned dongle
encryption_key:          <file>
                         auto

New +luks airootfs image types are added to handle LUKS encrypted rootfs.

One between a key, a plain password or an activation dongle image is returned together with the main ISO if an encrypted image type is selected.

Encryption type is handled by the encryption_key variable.

When set to a file, it will use it for encryption.

When set to auto, it will encrypt the disk with a newly generated key.

When unset, the user is prompted to insert a plain-text password.

A new keys buildmode is added which builds an <iso_label>_KEYS ISO which automatically unlocks the system when physically attached to the computer.

A new variable for crypto kernel parameters has been added to bootloaders' configurations.

When encryption is enabled, public package list is (should be? do we want a ) removed from the ISO.

Depends on

!253 (closed).
!259 (closed).
mkinitcpio/mkinitcpio-archiso!25.
support on-file rootfs to support patch for cryptsetup's encrypt hook.

Currently superseeded by

!279 (closed)

Testing

Burn archlinux (AUR).
A PKGBUILD that builds this branch has been published as archiso-encryption (AUR) with preconfigured ebaseline and ereleng replicas in archiso-profiles (AUR)

Edited Sep 02, 2022 by Tallero Tallero