This is an explanation of how to use encryption under the most recent release of JayOS. It will walk you through the steps of creating and booting an encrypted root filesystem, and how to insert and extract hidden data into a filesystem. This procedure was last tested with JayOS-x86-20120123. # First of all, it is assumed that the system has already been compiled by scripts/build.sh, and /lfs/build/livecd exist and is populated. From the livecd, run the script /root/bin/mklo to create an encrypted copy of your currently-mounted root filesystem. The following command will create a 115 MB encrypted ext2 filesystem (journaling doesn't work on loopback devices), mklo -e -t ext2 -s 115 -f /lfs/build/livecd/fs/root.alt Rebuild the livecd by changing into /lfs/src/jlfs and running "make livecd". # The next time you boot, give pass the kernel the "altfs" parameter. This will tell /initrd/linuxrc that you want to load fs/root.alt instead of fs/root.gz. It will copy into memory the above file, and pause for the passphrase. You can type in the password after dd prints its message. If you give the wrong password, the unencrypted root filesystem is loaded instead, and control passes to /sbin/init as usual. Within the root filesystem, losetup has been patched so that the Password: prompt is not displayed, but this is not the case for the losetup in initrd. The password for root.alt on the livecd is "steviewonder-innervisions". Once you have successfully booted, look in root's home directory for the password to use when prompted in the steps below. The default name root.alt can be overridden with altfs=path/filename # # How to prove the root filesystem is encrypted # Do an losetup on /dev/loop7, where root is mounted. You'll see it points to /dev/ram1, and is encrypted with aes128. Use dd to copy the first megabyte of /dev/ram1 to a file, then run file against the newly created file and note its file type: data. Do the same for /dev/loop7 and see that the filesystem type is recognized. # # How to store encrypted data in a filesystem # There is a patch in patches/jlfs named runefs-initrd.patch. After build.sh completes, patch the source tree with this command: /usr/src# patch -Np2 < /lfs/build/JayOS/patches/jlfs/runefs-root.patch A small file will be created named myaddons.tbz. Extract it and examine it. It's purpose is to change the splash screen when Xorg fires up, but it could easily be anything you want it to be. Edit jlfs/Makefile.vars and uncomment the second set of the variables ADDFS and ADDFSDIR. Now when "make root" is run, code in jlfs/Makefile.targets will first prompt for an encryption passphrase, then use runefs to insert myaddons.tbz into the slack space of the ext2 filesystem, where its existence will be hard to prove. # # How to pull encrypted data from a filesystem # The root filesystem on the LiveCD has easter eggs :) At the boot prompt, enter "jayos addons". The password prompt is a red herring of sorts. If anything other than the passphrase "fulfillingnessfirstfinale" is entered, the boot will ignore the entry and continue as usual. With the proper passphrase however, ~/.bash_profile will use the following command to extract encrypted data from the slack space on the root ext2 filesystem: /initrd/bin/busybox rune /dev/ram1| \ aespipe -d -e aes128 > \ /tmp/myaddons.tbz All sources and patches used to make this happen are provided but not compiled by default during the normal build process.