You are not logged in.

#1 2020-09-06 09:16:50

Naik
Member
From: Lipsia
Registered: 2015-10-03
Posts: 265

[Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

Hello folks!

I came in touch with linux-live lately and it crossed my mind, that it would be nice to have it build my personalised BL live distro to have it with me.
So at first I made a fresh Lithium installation on a spare partition added some forensics tools (Yeah, I use linux so my main free time activity is to fix my family members rotten Win-machines) and the like and used the formentioned kit let it make the image. All wend great.
Than I thought about including my dropbox, btc-wallet and pw-manager of choice to have a real "Lab2Go". This in itself would not be a problem, but if the key should ever get lost it would mean a privacy nightmare to me, so one would have to have the "01-core.sb" encrypted some how.

What I tried:

-Naturally, simply encrypting this file via gpg breaks the boot process and I'm uncertain whether there is any way of having extlinux handle this
-Creating encrypted (Luks) root while installing Lithium in the first place works fine, but the resulting image simply ignores the encryption because it is decrypted at boot time and nothing is achieved
-There seems be an option to work with (probably encrypted) persistence, but I can`t find out how. It is managed via a /linux/changes folder on the live media. I just just filed issue to ask for encryption.

I was unable to get in touch with Mr. Thomas-M from Slax.org who maintains this project and am unsure whether or not to file an issue on this.

Edit: added findings of further investigation.

Does any of you have experience with this package and can help, or knows of any other way to achive this? I know I could just use TAILS or Kali with encrypted persitence but I am really not fond of Gnome and have no need for many a package Kali ships with, so I'd love to build my own.

Thank you!

EDIT2: I just learned that live-build supports encrypted persistence. So I will go on a (longer?) journey to learn how to use this. We'll meet again in the howto sektion when (and if) I've been successful.

naik --greetz

Last edited by Naik (2020-09-16 10:19:16)


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

#2 2020-09-16 11:13:19

Naik
Member
From: Lipsia
Registered: 2015-10-03
Posts: 265

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

Hello again!

Just for the sake of keeping the Forum clean I updated the title and started over again down here instead of opening a new thread.
If this was a bad decision please let me know, dear admins.

Prerequisites:

As stated above I wanted to have a kali-like USB-key with encrypted persistence but having it without most of the forensic tools and a nicer de and stuff. I want it to be based on Lithium.

I tried to get it with linux-live, but the "persistence" they offer does not follow the debian scheme (It comes from the Slax-world), so I wasn`t able to figure out how to encrypt it.

The Facts:

I read up on the live build tools debian offers and learned that there is an option to create the resulting image with encrypted root, but it is a pain in the a..fternoon to configure the build system to have something BL-Lithium like in the end and config/build failed multiple times with "internal Error", so I gave up on this for now.

The most promising way for now is to create a bootable USB with the help of the lithium.iso by:

- setting up 2 ext4 partitions (~2GB for the live system and the rest (~13GB) here for persistence) *referred to as sdx1 and sdx2 for now
- mounting the iso and sdx1 and copying the files to the USB
- tweaking the live.cfg in (/mnt/sdx1)/syslinux/ to something like:

label live-amd64
	menu label ^Lithium to go
	menu default
	linux /live/vmlinuz
	initrd /live/initrd.img
	append boot=live persistence components quiet splash

label live-amd64-failsafe
	menu label ^Live - failsafe
	linux /live/vmlinuz
	initrd /live/initrd.img
	append boot=live components memtest noapic noapm nodma nomce nolapic nomodeset nosmp nosplash vga=normal

- manually reinstalling syslinux

extlinux -i /mnt/sdx1

-making sure sdx2 is labeled "persistence" and creating the persistence.conf¹ on it.

This works and one has a Lithium-live key with persistence ready to be filled with new users, configs etc.

Now, going a step further, I tried the Kali-Linux approach:

-creating a LUKS encrypted container on sdx2 and opening it.
-creating an ext4 filesystem in it, labelling it "persistence" and filling it with the persistence.conf¹
-making sure to further add the following to the append boot line in live.cfg

label live-encrypted
	menu label ^Lithium to go encrypted 
 	menu default
	linux /live/vmlinuz
	initrd /live/initrd.img
	append boot=live persistence persistent=cryptsetup persistence-encryption=luks,none username=user components quiet splash

BUT: Since this looked very promising, I had no persistence at all, after booting the USB.

So my question is: Is it possible that lithium-iso has been build without cryptsetup, so it won`t be able to open the container, or is it something else I am missing here?

If the first is the case I'm probably lost and have to go the live-build route again, so I hope the latter option is true and someone is able to point out what I did wrong.

¹) echo "/ union" > /mnt/sdx2/persistence.conf read more here

Thanks for your time reading this and any help is highly appreciated!

naik --greetz


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

#3 2020-09-16 19:26:24

sleekmason
Member
Registered: 2018-05-22
Posts: 193

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

I've been messing around a bit with live-build as well.  have you looked at the live-boot options?

https://manpages.debian.org/testing/ope … .7.en.html

Also, for every preseed option available for the installer. Literally every one.
https://preseed.debian.net/debian-preseed/buster/

Offline

#4 2020-09-17 00:49:13

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 7,308
Website

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

(cryptsetup is included in the Lithium isos)


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

#5 2020-09-17 14:01:40

Naik
Member
From: Lipsia
Registered: 2015-10-03
Posts: 265

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

Hello!

Thanks for your answer. I saw that there is an option to boot encrypted root via a loop-aes

{live-media-encryption|encryption}=TYPE
    live-boot will mount the encrypted rootfs TYPE, asking the passphrase, useful to build paranoid live systems :-). TYPE supported so far is "aes" for loop-aes encryption type.

Does this mean I can create an encrypted /dev/loop1 to put the sqashfs into?

Do you have any idea how I could configure the build process to include the bunsenlabs repo?

I am sorry, to say that I have no idea what your second link is about. Isn't this kind of stuff only concerning the installer, when (and if) this option is included in the build?

Naik --greetz


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

#6 2020-09-17 17:32:12

sleekmason
Member
Registered: 2018-05-22
Posts: 193

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

Naik wrote:

Hello!

Thanks for your answer. I saw that there is an option to boot encrypted root via a loop-aes

{live-media-encryption|encryption}=TYPE
    live-boot will mount the encrypted rootfs TYPE, asking the passphrase, useful to build paranoid live systems :-). TYPE supported so far is "aes" for loop-aes encryption type.

Does this mean I can create an encrypted /dev/loop1 to put the sqashfs into?

Do you have any idea how I could configure the build process to include the bunsenlabs repo?

I am sorry, to say that I have no idea what your second link is about. Isn't this kind of stuff only concerning the installer, when (and if) this option is included in the build?

Naik --greetz

I have no idea about encrypted anything:)
 
I finally have a good stable build using live-build, and saw you were doing something in the same area. I'm hoping you get it figured out and share the method:)

The second link was just neat:)  Someone went through and found every option for Buster and the installer.  Thought if you went that route it might be useful.

For apt, this section may be useful:
https://live-team.pages.debian.net/live … save-space
The live-build manual is a rabbit hole of info, but pretty dang neat.
This link in the live-build manual talks about luks,persistance and the like.
https://live-team.pages.debian.net/live … rs.en.html

And im guessing you already have this one from Kali linux about building your own:
https://www.kali.org/docs/development/l … -kali-iso/

Sorry I can't help more!  Good Luck:)

Offline

#7 2020-09-18 10:37:08

Naik
Member
From: Lipsia
Registered: 2015-10-03
Posts: 265

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

johnraff wrote:

(cryptsetup is included in the Lithium isos)

Thank you for your answer Johnraff. I will definitly have a closer look at this and try to find out how to make encrypted persistence happen.

naik --greetz


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

#8 2020-09-18 11:29:48

Naik
Member
From: Lipsia
Registered: 2015-10-03
Posts: 265

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

A little Update:

I was successful in building an iso-hybrid image containing the bunsenlab-lithium repo and including the bunsen-meta-all package.
Will have a do a test run later and post my way of doing so, when it works as suspected.

naik --greetz


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

#9 2020-09-29 11:09:16

Naik
Member
From: Lipsia
Registered: 2015-10-03
Posts: 265

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

A little more:

I was unable to achieve encrypted persistence with the lithium-1-amd64.hybrid.iso.
Which lefts me thinking that cryptsetup is not activ in the intird or it may be build with live-build < 4.0.

But I was able to achieve what I want by building my own iso with live-build containing the BL repos and some hooks and stuff from the kali live-buil-config.
I am still testin/sorting packages because I have some firmware trouble (e.g. touchscreen support ootb) but as soon as this is figured out, I will make the configs available on github and add a howto here.

Naik --greetz

Last edited by Naik (2020-09-29 11:10:05)


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

#10 2020-09-29 13:20:39

sleekmason
Member
Registered: 2018-05-22
Posts: 193

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

Naik wrote:

A little more:

I was unable to achieve encrypted persistence with the lithium-1-amd64.hybrid.iso.
Which lefts me thinking that cryptsetup is not activ in the intird or it may be build with live-build < 4.0.

But I was able to achieve what I want by building my own iso with live-build containing the BL repos and some hooks and stuff from the kali live-buil-config.
I am still testin/sorting packages because I have some firmware trouble (e.g. touchscreen support ootb) but as soon as this is figured out, I will make the configs available on github and add a howto here.

Naik --greetz

Absolutely Awesome! Thank you:)

Offline

#11 2020-09-29 14:51:09

Naik
Member
From: Lipsia
Registered: 2015-10-03
Posts: 265

Re: [Re-Opened] Bunsenlabs to go -> Live key with encrypted persistence

sleekmason wrote:
Naik wrote:

A little more:

[...]
I am still testin/sorting packages because I have some firmware trouble (e.g. touchscreen support ootb) but as soon as this is figured out, I will make the configs available on github and add a howto here.

Naik --greetz

Absolutely Awesome! Thank you:)

It was a mere try & error journey so far, but thank you!
I am also struggeling now with the use of hooks to automate the process of installing kali-anonsurf while in chroot stage to have it present on the live medium.

Any help with this would be highly apreciated!

Naik --greetz


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

Board footer

Powered by FluxBB