Porteus

It would be nice if there was an option to enable full disk encryption when installing Porteus to a hard drive. It's good for corporate users who carry around their laptops with sensitive data.

There's a tutorial on how to do it manually here:
ftp://ftp.slackware.com/pub/slackware/s ... _CRYPT.TXT

it was mentioned couple of times on the forum before:
there is no benefit of full disk encryption. it makes the system only slower as modules must be decypted first then decompressed.

please encrypt your changes in save.dat (we have a GUI for this) and you are safe.

Somebody could tamper with the kernel module and insert malicious code in it if the whole drive is not encrypted. Then it does not matter if a portion of the system is encrypted (the save.dat method), because upon decrypting, the malicious code could activate and the attacker would have access to the data.

You could simply use a read-only media like a CD to achieve this, even. Of course the safekeeping of the CD is your job, in that case though.

(You can then simply write a script that asks for the root password once and loads all your required modules.)

@ashkenazi
modified kernel still wont be able to decrypt your save.dat

unless you mean that someone will get an access to you usb -> modify kernel in it -> give the stick back to you -> you'll keep using it as normal (providing password every boot)
this is possible but rather extreme rare scenario.

low benefit and lot of work - i wont be implementing this myself.

But you can check that you are not "infected" - for example script in changes that would check md5sums of activated modules, vmlinuz and initrd.xz.

to this problem, I just work
i have written a new cheatcode called "encr"

description:

encr=[S:]path1;path2;pathN

... Decrypt and mount filecontainer or partitions in the order path1 path2 pathN
The password will be saved in a variable and trying to use again.

If it was a decrypted changes container was used. It will trying to use the password from them.

The files will mount to /mnt/mapper/$FILENAME this path is after booting: /mnt/live/mnt/mapper/$FILENAME
If the path begun with /dev or /mnt they will not be changed but other like /porteus/* will changed.
The script setting the livecd path at the beginning, ex: /porteus/file.dat > /mnt/sr0/porteus/file.dat


The "S:" is for developing it save the password to [/mnt/live]/var/log/encr/.encrpw
It is dangerous to use them and should not be used.

example:
encr=/dev/sda3;/porteus/emod.luk;/porteus/matr1.luk;/mnt/mapper/matr1.luk/matr2.luk;/mnt/mapper/matr2.luk/matr3.luk
will mount in folling order:
/dev/sda3 > [/mnt/live]/mnt/mapper/sda3
/mnt/sr0/porteus/emod.luk > [/mnt/live]/mnt/mapper/emod.luk
/mnt/sr0/porteus/matr1.luk > [/mnt/live]/mnt/mapper/matr1.luk
/mnt/mapper/matr1.luk/matr2.luk > [/mnt/live]/mnt/mapper/matr2.luk
/mnt/mapper/matr2.luk/matr3.luk > [/mnt/live]/mnt/mapper/matr3.luk
if matr2.luk container have a other password like container (or partitions) before you will ask again
and the same password is used for matr3.luk

here the first draft for 64bit

it rebuild the cryptsetup
see crsetup_src/source/readme.txt

note:
If everyone use disk encryption use the "noswap" cheatcode to prevent that the password will public.
use only in conjuction:
with "noswap"
without "changes=.."
or only "changes=.. changes-ro"

but i have a question:

this cheatcode saving the password in a variable and put them to cryptsetup like: How dangerous is it ?
better use this cheadcode only in freshmode
I have no idea if the password show up somewhere in the system.

I have littlebit changing the cheatcode.
Now it supports plainmode, luks, truecrypt and veracrypt (experimental).
It seems to work fine (on 32 and 64bit), but it is not much tested, also be carefull.
The source and ready modules (not a ready CD, use ./source/initrd/mkcd.sh to build them) are here: crsetup_src3.tar.xz (md5 = 7077886e05beb90f7fc629ff44225ac3)
The full description are in the readme.txt included in the archive.

The compiling of crsetup_src3 fails (updated signature files)
for this reason i have move some signatur files.
here are the update: crsetup_src4.tar.xz
md5sum: 3d7aa1cbd000d74900947b635d9510b2