I'm considering writing a hint.

Andrew Benton b3nton at gmail.com
Tue Jan 11 08:37:33 PST 2011


On Tue, 11 Jan 2011 08:06:52 -0800
maxwell_ at fastmail.fm wrote:

> Hello fellow LFS users.
> 
> Fist off, I am new to these lists, but I made my first LFS system
> several years ago.  I have no idea which version it was.  I didn't go
> very far beyond LFS at that time, and ended up going back to using
> Windows (god forbid) because it just worked out of the box (barely)
> without really having to mess with it too much.  I then moved on to
> using Ubuntu for security reasons, having a huge lack of trust for
> Microsoft and really anybody in this post 9/11 era.  I now assume that
> all Windows operating systems are just a huge government backdoor. 
> 
> As you may have guessed by now, I am big on keeping my information
> private.  I do not like how computers open up new doors for governments
> to spy on their citizens.

Don't put away you tin-foil hat just yet, I gather that the NSA submit
code to the linux kernel...

> I have installed an BLFS system, with all of the programs I want,
> tailored just the way I like it.  But rather than keeping this system on
> a hard disk, which someone could examine and potentially steal my data,
> or learn about me and my habits... by looking at my browser cache, or
> forensically examining the drive for documents I've written, I use a 4GB
> USB thumb drive with a 128MB boot partition, and the rest of the drive
> (3.8GB+) is a Truecrypt-encrypted partition.  My BLFS system is squashed
> using Squashfs and is copied to the encrypted partition.
> 
> Here's how my boot process works:
> 
> I plug my thumb drive into my machine and turn it on.  I press F12 or
> whatever to boot off of the thumb drive.  I have an initrd.gz in my boot
> directory with Truecrypt in /bin.  The linuxrc calls Truecrypt to mount
> /dev/sdb2 (the encrypted partition).  It prompts me for the password.  I
> enter the password.  The partition is mounted read-only.  The linuxrc
> creates a 1GB+ ramdisk and then copies the entire operating system (the
> squashfs filestyem) from the encrypted partition to the ramdisk.  Next,
> it dismounts the Truecrypt volume, so I can remove the USB thumb drive
> if I want to.  Then it mounts the squashfs filesytem using AUFS, and
> then pivot-roots to that system.  From there, the OS boots as usual.  If
> you don't use AUFS to mount it, then the OS won't be writable, as
> Squashfs is a read-only filesystem, and it won't work.
> 
> So what have I done?  My entire OS exists in RAM.  Once the machine is
> powered off, it's like a LiveCD in that everything is gone... not a
> trace of anything I've done is left.  But rather than it being some
> LiveCd of some random Linux distro-of-the-day, it is my own, custom BLFS
> system.

I've not tried encrypting a root partition (I think setting up an
initrd looks hard...) so I don't know the ins and outs of it all, 
how is this different from Lars Bamberger's hint?
http://www.linuxfromscratch.org/hints/downloads/files/crypt-rootfs.txt

Andy



More information about the lfs-chat mailing list