this small howto explains how to install a live system from an iso file [e.g. bt4.235R2.iso] to an usb stick with multiple boot options.
it also shows, howto encrypt your squashfs and changes partition.
Download Unetbootin from http://unetbootin.sourceforge.net/ or do
wget http://santa.fnord.cx/bt4_bh/unetbootin-linux-494
grub is already onh the system preinstalled, we just need to rewrite our mbr to install grub to our usb
to find our usb stick we do
mount | grep cdrom0 | cut -d' ' -f1
if we see that our usb is for e.g. sdb1 we have to remount it rw first, that we can write to it
mount -o remount,rw /dev/sdb1
then we install grub to sdb (NOT sdb1) :
grub-install --recheck --force-lba --root-directory=/media/cdrom0/ /dev/sdb
and always remember: every stick is bootable!
Depending on what distro you are using, you may have to load a kernel module. It doesn't hurt anything if it is already loaded.
modprobe aes-i586 modprobe sha512
or if you want other cyphers ….
modprobe twofish modprobe serpent modprobe xts
see if all is loaded, and list your encryption possibilities with
cat /proc/crypto | grep name
!!! this will only work on ntfs or ext3 partitions !!! - [ because the cryptocontainer is larger than 4GB which FAT32 can't handle ]
Now we encrypt the filesystem.squashfs file. To do this we will create a luks container that is slightly bigger than the filesystem.squashfs file. Here we will use 4 GB but you are free to choose any size, as long as it is larger than the filesystem.squashfs size of course, and create it in am temporary directory. we used /mnt/uniq_tmp. you can do this from inside the running system.
!!! just make shure you have enough space in your tmp folder !!!
make a temp folder
mkdir /media/yourhardrive/uniq_tmp -v
We will first make the container. The size is dictated by the count parameter in the dd command (in megabytes). Feel free to use /dev/random instead of urandom.
Note that this will take a few minutes.
dcfldd if=/dev/urandom of=/media/yourhardrive/uniq_tmp/cryptosys bs=1M count=4200
then
losetup /dev/loop2 /media/yourhardrive/uniq_tmp/cryptosys -v
Choose a strong passPHRASE here. It's pointless to go through all this trouble to encrypt everything and then choose a weak password.
cryptsetup -y -i 2351 --cipher aes-cbc-plain:sha512 --key-size 256 -T 4 luksFormat /dev/loop2
Now that we have our container lets open it, put a filesystem in it, and put the filesystem.squashfs file in.
cryptsetup luksOpen /dev/loop2 uniq mkfs.ext3 /dev/mapper/uniq -L "uniq" mkdir /mnt/uniq -v mount /dev/mapper/uniq /mnt/uniq -v rsync -a --progress /media/cdrom0/casper/filesystem.squashfs /mnt/uniq
!!! NOTE : if rsync fails, your cryptosys file was to small. → do the clean up below, start again from dcfldd and use a higher count!!!
umount /mnt/uniq -v rm -rfv /mnt/uniq cryptsetup luksClose /dev/mapper/uniq losetup -d -v /dev/loop2
We have the filesystem.squashfs file encrypted inside the uniq crypto container. Now we only have to rename and move it to its final destionation on our stick. For that, we need to know where our stick is mounted. If you don't know that, try:
mount | grep cdrom0 | cut -d' ' -f1
now we see, that our stick is at e.g. /dev/sdb1. we use that knowlege to remount our usb writeable, so we can put our uniq crypto container there.
mount -o remount,rw /dev/sdb1
the next line is for paranoid people, who want to enhance their crypto : [may take a while]
wipe /media/cdrom0/casper/filesystem.squashfs
then we move the container
mv -fv /media/yourhardrive/uniq_tmp/cryptosys /media/cdrom0/casper/filesystem.squashfs
and unmount our 2nd usb partition …
umount -fv /media/yourhardrive/uniq_tmp/
Alright. Now we have the filesystem.squashfs file encrypted and on the right place back on our stick. Half way there.
Next thing we need to do is to fix our initrd, so it can open our container.
We now have everything encrypted but this won't do us any good because our initrd doesn't know that what it is looking for is encrypted. Let's fix that. We will be using the initrd.gz that we downloaded and extracted from the BT iso earlier. First lets copy the initrd.gz file to its own directory and extract it.
mkdir ~/initrd -v cp /media/cdrom0/boot/initrd.gz ~/initrd/ -v cd ./initrd gunzip -v ./initrd.gz cpio -idv < ./initrd
While we're at it, delete the archives we just extracted so they don't get in the way when we compress everything again.
rm -v ./initrd
Now we can edit the startup script files.
cd ./scripts
if you want to start qour changes via but don't know how to find the right uuid, try:
vol_id -u /dev/sdb2
Open “casper-helpers” for editing.
kate ./casper-helpers
Starting on line 122 and ending at line 166 is the “setup_loop” function.
We need to make that function look like below
NOTE: do not forget to change the UUID to the UUID of your hardrive!
setup_loop() {
local fspath=$1
local module=$2
local pattern=$3
local offset=$4
modprobe ${MP_QUIET} -b "$module"
/sbin/udevadm settle
if [ "$module" = loop ]; then
if [ ! -e /dev/loop0 ]; then
# temporary workaround for kernel bug
for i in 0 1 2 3 4 5 6 7; do
mknod "/dev/loop$i" b 7 "$i" || true
done
fi
dev="$(losetup -f)"
if [ "$dev" ]; then
if [ -n "$offset" ]; then
losetup -o "$offset" "$dev" "$fspath"
else
# Encryption squashfs Begin
mkdir /mnt
losetup "$dev" "$fspath"
echo "Password: " >&6
cryptsetup luksOpen "$dev" luksloop >&6
# workaround (part 2):
mount -t ext3 /dev/mapper/luksloop /mnt
dev="$(losetup -f)"
losetup "$dev" /mnt/filesystem.squashfs
# Encryption squashfs End
#encryption changes
echo "Password changes: " >&7
#load encrypted changes
#cryptsetup luksOpen /dev/sdb2 casper-rw >&7
#load encrypted changes via uuid
cryptsetup luksOpen /dev/disk/by-uuid/25017ed5-aab5-your-uuid-0a1b22c23510 casper-rw >&7
fi
echo "$dev"
return 0
else
panic "No loop devices available"
fi
else
for loopdev in $pattern; do
if [ "$(cat $loopdev/size)" -eq 0 ]; then
dev=$(sys2dev "${loopdev}")
if [ -n "$offset" ]; then
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
fi
echo "$dev"
return 0
fi
done
panic "No loop devices available"
fi
}
My changes are marked between the comments “Encryption changes begin/end”. Either replace the whole function with what I have posted above or just add in my changes between the two comments mentioned.
copy boot
cp -frvp /media/cdrom0/boot /mnt/h00dy
rename the initrd
mv -fv /mnt/h00dy/boot/initrd.gz /mnt/h00dy/boot/initrd.nocrypt.gz
zip your initrd back together, and copy it
cd .. find . | cpio -o -H newc --verbose | gzip -9 > /root/initrd.gz
copy boot
mv -fv /root/initrd.gz /mnt/h00dy/boot/
cp -fvp /media/cdrom0/{l,m,s,u}* /mnt/h00dy/
so far so good, we are nearly there …
sha512sum
#!/bin/sh
checksum () {
echo "Checking file: $1"
echo "Using $2 file: $1.$2"
file1=`openssl $2 $1 | awk -F " " '{print $2}'`
file2=`cut -d* -f1 $1.$2`
echo $file1
echo $file2
if [ $file1 != $file2 ]
then
echo "$2 sums mismatch"
else
echo "$2 checksums OK"
fi
}
if [ -n "$1" ]
then
root_dir=$1
else
root_dir=.
fi
for file in $root_dir/*.jar $root_dir/*.tar.gz $root_dir/*.zip; do
checksum $file 'md5'
checksum $file 'sha1'
echo "GPG verification output"
gpg --verify $file.asc $file
echo "~~~~~~~~~~~~~~~~~~~~~~~"
done