TurnKey Linux Virtual Appliance Library

Whole file system encryption in turnkey Linux

phillip bailey's picture

I'm currently working on a project that involves the deployment of of some applications inside a hostile environment. Using Turnkey linux I've achieved all the tasks required to have a secure distribution, except that I need to set up a full encrypted file system.

In the di-live installer, unfortunately I didn't find the way to enable this feature, but looking a bit further into /usr/lib/di-live.d/42partman-base  seem it is the right place to enable this feature. I'm kinldy asking for some hint and tips enable the whole FS encryption in turnkey Linux.

Thanks for the awesome work with Turnkey.

Phillip Bailey
 

Attached: 
Alon Swartz's picture

di-live leverages d-i for the heavy lifting...

I've never done this before, so I can't give you a step-by-step, but you did find the correct place to enable encryption (42partman...)

di-live leverages d-i (debian-installer) to do the heavy lifting, which is used by Debian and Ubuntu. These links (1, 2) might help.

In a nutshell, you need to preseed d-i partman with the configuration you want in the di-live hook, and then let partman take care of the details.

phillip bailey's picture

Alon, thanks for the

Alon,

thanks for the update, today I'll try to get my fingers dirty with partman.

phillip bailey's picture

Hi Alon, things are getting

Hi Alon,

things are getting hard with di-live an partman, there's any way to avoid the di-live heavy lifting during the disk partitioning?.


Thanks,

Phillip

phillip bailey's picture

Disable di-live

Hi Alon,

I know that you I've invested a lot of time writing di-live, I'm asking if there's a way to disable it and go with a normal debian installer, because things with the encrypted file system and di-live a getting pretty messed up..

Phillip

Alon Swartz's picture

Not really...

Not really. di-live was developed to provide the ability to install a "live" debian based system to the harddisk. The debian-installer itself doesn't have that ability.

With enough tweaking you should be able to disable preseeding and enable all the d-i partman recipes for advanced usage scenarios (like full file-system encryption). You might need to install some dependencies though, as I said above, I'm not sure as I've never tried myself...

whole disk encryption

Alon

 

you guys products are awesome but currently I cannot use them in production and sometimes not even in dev environments until we can achieve whole disk encryption with the installer... Id love to see this feature added as it has become de facto standard where I work now

thanks

 

doug

Jeremy's picture

I have lodged a feature request

Have a look here, although I have no idea when an option like that will be implemented.

If you are really keen on this then I suggest that you consider forking di-live.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)