[elbe-devel] How to create an encrypted rootfs image using Elbe?
Manuel Traut
manuel.traut at linutronix.de
Tue Jul 4 08:13:41 CEST 2017
Hi Lukasz,
> I think my question was too general, so I narrow the scope here. We are planning to use the cryptsetup package to encrypt the RFS generated with elbe. One way to do that is to mount the RFS as a loop device and manipulate it using cryptsetup. Since mounting a loop device and manipulating it requires root privileges we would like to encapsulate those tasks. The elbe initvm provides a perfect, secure environment for such tasks and we are using it anyway so there would be no additional cost in setting things up.
okay, i understand.
> My question is whether it is possible to execute commands within initvm *after* the RFS has been generated? - I mean something similar to <finetuning> commands but executed after the RFS generation.
No, there is currently no such feature. But i understand the need for it.
Installing cryptsetup etc. into the initvm is already possible by providing a
customized <initvm> description in XML.
> To reveal my attitude: I am looking for a clean solution that encapsulates code running with root privileges, which could be safely integrated in an automated build system.
>
> I would be grateful for your ideas/suggestions.
Finetuning should be more flexible!
Currently finetuning runce twice. Once before extracting and once after
extracting the archive. That should be also controlable.
I think about allowing a list of <finetuning> sections and adding some
attributes, e.g. <finetuning runafter='imagegen'>. Or sth. like this..
What do you think?
Regards,
Manuel
More information about the elbe-devel
mailing list