Encrypted persistent ubuntu livecd (16.10) redux

In a previous post I show how to re-master an Ubuntu raring livecd to allow for a LUKS encrypted persistent storage area.  These instructions will not work for Ubuntu 16.10, so I’m writing this blog post to show what needs to be done differently. For a more thorough review of the issue, please see the previous post.


If you just want to patch the iso, I’ve generated an xdelta for the encrypted persistence modifications against the ubuntu-16.10-desktop-amd64 iso.  First make sure you have the xdelta program installed.  Then download this patch, and run the following command:

xdelta patch ubuntu-16.10-desktop-amd64-persist.xdelta \
             ubuntu-16.10-desktop-amd64.iso \

Updates for allowing encrypted persistence

The following instructions are specific to Ubuntu 16.10, but I suspect that they will work for 16.04 and probably for a few editions after 16.10 (basically until they change the initrd image again).  They are basically the same as in the post on 13.04, except we need to add cryptsetup and and the dm-crypt kernel module to the initrd.

      1. clone this git repository
      2. $ edit_iso.sh ubuntu-16.10-desktop-amd64.iso
      3. Choose yes to editing the initrd
      4. Update the initrd using the following commands. I am assuming that you are running on the ubuntu-16.10-desktop-amd64 livecd.  This matters because your kernel must be the exact same as the kernel on the iso your editing (otherwise you’ll need to get the kernel modules from the filesystem.squash in the iso).
        1. patch -p1 < ubuntu-16.10-desktop-amd64-encrypt-persist.patch
          1. This patch adds in the hook that allows the iso to find and use our encrypted persistence file.
        2. MODDIR=$(ls -1d lib/modules/*)
          cp -vp {,.}/$MODDIR/kernel/drivers/md/dm-crypt.ko
          rsync -uavSP {,.}/$MODDIR/kernel/crypto
          mkdir -p $MODDIR/kernel/arch/x86/crypto
          rsync -uavSP {,.}/$MODDIR/kernel/arch/x86/crypto
          depmod -a -b .
          cp -vp /sbin/cryptsetup sbin/
          cp -vdp /lib/x86_64-linux-gnu/libcryptsetup* \
                  /lib/x86_64-linux-gnu/libgpg-error.so.* \
                  /lib/x86_64-linux-gnu/libgcrypt.so.* \
                  /lib/x86_64-linux-gnu/libpopt.so.* \
          mkdir -p lib/cryptsetup
          cp -vp /lib/cryptsetup/askpass lib/cryptsetup/
          1. Here we are adding dm-crypt and the cryptsetup binary to the initrd.  They used to be included, but apparently were taking out.
      5. Exit the editing shell.Edit both grub.cfg and loopback.cfg so that there is an entry with the kernel parameter persistent.

Now you should have an iso with encrypted persistence capabilities!  Note that I have only tested that the iso works when loopback mounted via grub2.  If you have trouble booting it from a cdrom let me know.  Also, this iso will not likely work when copied to a raw partition, unlike the official isos.  It looks like I need to use isohybrid, but I haven’t looked much further into it.  If anyone knows what needs to be done to add this, a comment would be welcome and I’ll update the xdelta.

Setting up the encrypted persistent file

This was not made explicit in my previous post, so I’ll include how to setup the encrypted file to be used as a backing store (more indepth coverage can be found on this wiki page).  The first thing to keep in mind is that this file must be at the root of an unencrypted partition and I believe that the filesystem on which the file is located must be a FAT filesystem.  I keep my persistent file on the same FAT partition that holds the iso file.  Here’s a command sequence that illustrates how to create the persistent file assuming your current working directory is where you want the file to be located.

# Create file with the size you want to have for storing your data.
# I choose 1Gb here.
dd if=/dev/zero of=casper-rw bs=1M count=1K

# Format as a LUKS encrypted device
cryptsetup luksFormat casper-rw

# Create decrypted device mapper device
cryptsetup luksOpen casper-rw cpersistent

# Create filesystem, it can be any filesystem supported by the initrd.
# In this case I use BTRFS, though XFS or EXT4 should work as well.
mkfs.btrfs -L casper-rw /dev/mapper/cpersistent

# Close LUKS device
cryptsetup luksCLose cpersistent

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: