Image Description Encrypted Disk

Abstract

This page provides further information for handling disk images with an encrypted root filesystem setup. The information here is based on top of the following article:

• Build a Virtual Disk Image

A virtual disk image can be partially or fully encrypted using the LUKS extension supported by KIWI NG. A fully encrypted image also includes the data in /boot to be encrypted. Such an image requests the passphrase for the master key to be entered at the bootloader stage. A partialy encrypted image keeps /boot unencrypted and on an extra boot partition. Such an image requests the passphrase for the master key later in the boot process when the root partition gets accessed by the systemd mount service. In any case the master passphrase is requested only once.

Update the KIWI NG image description as follows:

1. Software packages

   Make sure to add the following package to the package list

   Note

   Package names used in the following list match the package names of the SUSE distribution and might be different on other distributions.

   <package name="cryptsetup"/>
   

2. Image Type definition

   Update the oem image type setup as follows

   Full disk encryption including /boot:

   <type image="oem" filesystem="ext4" luks="linux" bootpartition="false">
       <oemconfig>
           <oem-resize>false</oem-resize>
       </oemconfig>
   </type>
   

   Encrypted root partition with an unencrypted extra /boot partition:

   <type image="oem" filesystem="ext4" luks="linux" bootpartition="true">
       <oemconfig>
           <oem-resize>false</oem-resize>
       </oemconfig>
   </type>
   

   Note

   The value for the luks attribute sets the master passphrase for the LUKS keyring. Therefore the XML description becomes security critical and should only be readable by trustworthy people. Alternatively the credentials information can be stored in a key file and referenced as:

   <type luks="file:///path/to/keyfile"/>