Hi,
I've managed to use the kickstart files to create a Fedora 31 KDE live CD without any problems.
Actually I have a simple python script which conglomerates all the KS files together to make it easier to deal with. Then I customize it and have it copy some files into the /var/www/html directory.
I am now trying to see what is necessary to have it encrypted (with Luks) so it prompts for the password at boot time.
part /boot --size=512 --fstype=ext4 part / --encrypted --cipher=aes-xts-plain64 --size=8200 --fstype=ext4
Those commands don't seem to make it encrypted.. Is encryption ignored for the livecd? Am I not doing something correctly, or is this not possible?
Thanks, Earl
On Sun, 2020-03-22 at 00:25 -0400, Earl Terwilliger via users wrote:
Hi,
I've managed to use the kickstart files to create a Fedora 31 KDE live CD without any problems.
Actually I have a simple python script which conglomerates all the KS files together to make it easier to deal with. Then I customize it and have it copy some files into the /var/www/html directory.
I am now trying to see what is necessary to have it encrypted (with Luks) so it prompts for the password at boot time.
part /boot --size=512 --fstype=ext4 part / --encrypted --cipher=aes-xts-plain64 --size=8200 --fstype=ext4
Those commands don't seem to make it encrypted.. Is encryption ignored for the livecd? Am I not doing something correctly, or is this not possible?
I'm curious. What would be the point of encrypting a live CD? It doesn't contain any user data.
poc
On Sun, 22 Mar 2020 at 08:19, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Sun, 2020-03-22 at 00:25 -0400, Earl Terwilliger via users wrote:
Hi,
I've managed to use the kickstart files to create a Fedora 31 KDE live CD without any problems.
Actually I have a simple python script which conglomerates all the KS files together to make it easier to deal with. Then I customize it and have it copy some files into the /var/www/html directory.
Maybe these need to be protected.
I am now trying to see what is necessary to have it encrypted (with Luks) so it prompts for the password at boot time.
part /boot --size=512 --fstype=ext4 part / --encrypted --cipher=aes-xts-plain64 --size=8200 --fstype=ext4
Those commands don't seem to make it encrypted.. Is encryption ignored
for
the livecd? Am I not doing something correctly, or is this not possible?
I'm curious. What would be the point of encrypting a live CD? It doesn't contain any user data.
A custom CD could certainly contain secrets, but encrypting the whole CD seems like overkill. How hard is to make a live CD using a loop file for a directory with secrets?
Note that it does contain user data that I copy into it. That is why I need to encrypted it.
On 4/1/20 9:25 PM, Earl Terwilliger via users wrote:
Note that it does contain user data that I copy into it. That is why I need to encrypted it.
Are you inserting the data when you create the CD or you're using USB and adding the data while running it later? _______________________________________________
I am inserting the data when the iso is created. I want a self contained bootable USB stick that I can hand to someone. They boot it up, enter a password, load firefox and go to localhost. The localhost web site has a database and files that they can search through read, etc.
I have this all working fine on a non-encrypted usb stick however before I hand it out, I need the database and files to be encrypted.
On Thu, Apr 02, 2020 at 11:44:31 -0400, Earl Terwilliger via users users@lists.fedoraproject.org wrote:
I am inserting the data when the iso is created. I want a self contained bootable USB stick that I can hand to someone. They boot it up, enter a password, load firefox and go to localhost. The localhost web site has a database and files that they can search through read, etc.
If it doesn't work out this way, it is possible to have an encrypted persistent partion created when you put the image on the usb drive. You could then add the data there afterwards and make direct copies of the usb stick if you need multiple copies. I used to have a liveusb set up with an encrypted partition a number of years ago.
I have created LV's and then encrypted said LV and then mounted the decrypted device. So he should be able to create a LV just for the data and encrypt it. The machine would fully boot up but then a password would need to be entered to see the data on that LV. You would probably want a script to build the crypt device and then mount said filesystem if the password was right. If the password was typed wrong you would want to script to be able to be rerun again to do it correctly.
There is little or not point in putting a user password on the ISO itself as that is trivially breakable unless that password is the password to decrypt the iso which would be much less forgiving (wrong password means completely reboot and try again from the start).
On Thu, Apr 2, 2020 at 12:05 PM Bruno Wolff III bruno@wolff.to wrote:
On Thu, Apr 02, 2020 at 11:44:31 -0400, Earl Terwilliger via users users@lists.fedoraproject.org wrote:
I am inserting the data when the iso is created. I want a self contained bootable USB stick that I can hand to someone. They boot it up, enter a password, load firefox and go to localhost. The localhost web site has a database and files that they can search through read, etc.
If it doesn't work out this way, it is possible to have an encrypted persistent partion created when you put the image on the usb drive. You could then add the data there afterwards and make direct copies of the usb stick if you need multiple copies. I used to have a liveusb set up with an encrypted partition a number of years ago. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
-
Bruno Wolff III -
Earl Terwilliger -
George N. White III -
Patrick O'Callaghan -
Roger Heflin -
Samuel Sieb