Hackweek project: create encrypted installation media
- You’re still carrying around your precious autoyast config files on an unencrypted usb stick?
- You have a customized installation disk that could reveal lots of personal details?
- You use ad blockers, private browser tabs, or even
torbut still carry around your install or rescue disk unencrypted for everyone to see?
- You have your personal files and an openSUSE installation tree on the same partition just because you are lazy and can’t be bothered to tidy things up?
- A simple Linux install stick is just not geekish enough for you?
Not any longer!
mksusecd can now (well, once this pull request has been merged) create fully encrypted installation media (both UEFI and legacy BIOS bootable).
Everything (but the plain grub) is on a LUKS-encrypted partition. If you’re creating a customized boot image and add sensitive data via
--boot or add an add-on repo or autoyast config or some secret driver update – this is all safe now!
It’s as easy as
mksusecd --create crypto.img --crypto --password=xxx some_tumbleweed.iso
dd the image to your usb stick.
But if your Tumbleweed or SLE/Leap 15 install media are a bit old (well, as of now they are) check the ‘Crypto notes’ in
mksusecd --help first! – You will need to add two extra options.
This is how the first screen looks then