encryption for porteus via extra cheatcode encr=...

Here is a place for your projects which are not officially supported by the Porteus Team. For example: your own kernel patched with extra features; desktops not included in the standard ISO like Gnome; base modules that are different than the standard ISO, etc...
Post Reply
KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

encryption for porteus via extra cheatcode encr=...

Post#1 by KnallKopf » 08 Nov 2015, 02:51

I pull at times in the right division, from here.

I have build and update to cryptsetup-1.7.0 truecrypt-7.1a veracrypt-1.16
and modifie the linuxrc (and some other files) for adding a new cheatcode encr=[cmd1:]path1;[cmd2:]path2;[cmdN:]pathN .
That causes that the password from changes or the first entry in encr will try to use again.
from the readme.txt:
description:

encr=[cmd1:]path1;[cmd2:]path2;[cmdN:]pathN

... Decrypt and mount filecontainer or partitions in the order path1 path2 pathN
The password will be saved in a variable and trying to use again.
it will always use the last saved password

If it was a decrypted changes container was used. It will trying to use the password from them.

Supported Formats:
veracrypt with cryptsetup
truecrypt with cryptsetup
luks with cryptsetup
plain with cryptsetup

non-Luks formats need a preceded [cmd:] because these a headless and can't be automaticly detected.
the syntax is: p|P|l|L|t|T|v|V[num][options separated by '~']:

first character:
Uppercase mean a usefull selection of options.
Lowercase mean no options. Usefull if you have your own options,
but it makes only a different at T|t.

On Luks with no other options etc in can be leave it will detected automaticly.
p|P: cryptsetup $YOUR_OPTIONS open $dev --type plain $mapper
l|L: cryptsetup $YOUR_OPTIONS open $dev --type luks $mapper
L is the default and will be detected automatic, for this reason may be omitted.
t: cryptsetup $YOUR_OPTIONS open $dev --type tcrypt $mapper
T: cryptsetup $YOUR_OPTIONS (--tcrypt-hidden) open $dev --type tcrypt $mapper
V: cryptsetup $YOUR_OPTIONS --veracrypt (--tcrypt-hidden) open $dev --type tcrypt $mapper
for (--tcrypt-hidden) see noask4hidden

[num]:
in some (but no usefull) case it is required to save a second password by PPHRASE_2 and use it
for example for --protect-hidden=yes
num can be leave the default is 1
0: mean no saved password is used and password will not saved.
1: try to use $PPHRASE_1 save if sucess to $PPHRASE_1 (it is the default)
2: try to use $PPHRASE_1 at first save if sucess to $PPHRASE_1 them try to use $PPHRASE_2 at second save if sucess to $PPHRASE_2
3: try to use $PPHRASE_2 at first save if sucess to $PPHRASE_1 them try to use $PPHRASE_1 at second save if sucess to $PPHRASE_2
options:
cryptsetup options separated by '~' saved in $YOUR_OPTIONS and will used for example in: cryptsetup $YOUR_OPTIONS open --type tcrypt $dev $mapper

The files will mount to /mnt/mapper/$FILENAME.
If the path begun not with /porteus they will not be changed but other like /porteus/* will changed.
The script setting the livecd path at the beginning, ex: /porteus/file.dat > /mnt/sr0/porteus/file.dat

Note:
Still careful the additional code it is not extensive tested

if you use diskencryption only without unencrypted swap.
Use the 'noswap' parameter
If you need necessarily swap. See (usefull) example or
make a swapfile on the encrypted disk and mount them later via your own script.
Otherwise people can find (with luck) your password on the swappartition.

don't use blanks in pathnames, because the code is not designed to.
don't use double filenames. 'encr=/porteus/cont1.img:/porteus/container/cont1.img will not work, because the code make the distinctions by the filenames.
don't use the name 'crypt' for your container, because this is the mapper name of changes container.



noask4hidden

... for truecrypt (T) and veracrypt (V) container you will ask for using a hidden container.
cryptsetup need in this case the extra option --tcrypt-hidden.
noask4hidden causes that will not ask and not use.



encr-savepw

... see encr
save $PPHRASE_1 to /var/log/encr/.encrpw-1.txt
save $PPHRASE_2 to /var/log/encr/.encrpw-2.txt
it is only for debugging and very dangerous because the secret plaintext password will be saved to a file.



i know this is a littlebit complex but here some examples:
ex. 1)
you will build a changed livecd. Changes are in a Truecrypt container changes.tc and some modules in a with luks encrypted container img.lc.
The modules are in the directory ./exmod64 on the img.lc image.
Both are in the porteus directory:

Code: Select all

APPEND initrd=initrd.xz noswap nomagic noauto copy2ram changes-ro changes=T:/porteus/changes.tc encr=/porteus/img.lc noask4hidden extramod=/mnt/mapper/img.lc/exmod64
ex. 2)
a laptop with small RAM (1-2GB)
on sda1 is Windows 7 on a Truecrypt encrypted partition.
sda2 is not encrypted it is the bootpartition for linux.
sda2 contain a luks container for changes: 'psave.luk'
sda3 is the Truecrypt encrypted data partition for Linux.
sda4 is the Plain encrypted swap partition.
The data on the disks are "normal" secret.
The super secret drafts are in a hidden veracrypt container on sda3 called: 'supers.vc'
the passwords of psave.luk, sda3 and sda4 are equal, the passwords of sda1 and supers.vc are differ.

first entry mounting only porteus and make changes:

Code: Select all

APPEND initrd=initrd.xz noswap nomagic noauto copy2ram changes=EXIT:/psave.luk encr=T:/dev/sda3;P:/dev/sda4 noask4hidden

second entry mounting only porteus and windows no changes:

Code: Select all

APPEND initrd=initrd.xz noswap nomagic noauto copy2ram changes-ro changes=/psave.luk encr=t0~--tcrypt-system:/dev/sda1;T:/dev/sda3;P:/dev/sda4 noask4hidden

third entry mounting only porteus and the secret container, no changes:

Code: Select all

APPEND initrd=initrd.xz noswap nomagic noauto copy2ram changes-ro changes=/psave.luk encr=T:/dev/sda3;V0:/mnt/mapper/sda3/supers.vc;P:/dev/sda4

Still careful the additional code it is not extensive tested and it is possiple that data can be lost.

Here are the source include automatic download and build script.
see the readme.txt.
(a lot of existing modules will reinstall, because the static sources will be need)
crsetup_src5.tar.xz
md5sum: 6634819d11001b72b8a510595237257d


Here are the CD skelets with the ready modules:
pskel-v3.1-x86_64.iso md5sum: 72a16c209e823a27a42cf21e69bf9021
pskel-v3.1-i486.iso md5sum: 0b5c96a7ced57c57a573e642f8b58b85


I am not a expert, for rhis reason i am interesting on disscusion what is secure and what isn't.
Which parameter for cryptsetup should be use etc.

Post Reply