site  contact  subhomenews

Ask ext4 encrypt and simplified boot menu

June 23, 2022 — BarryK

This is an ongoing project to simplify EasyOS, both conceptually and during usage. The previous installment was posted yesterday:

https://bkhome.org/news/202206/complete-separation-between-boot-manager-and-easyos.html

Whether on a flash-stick or internal drive, EasyOS is now laid out in the drive in the same way, in what we call a "frugal" install. Easy no longer knows what boot-manager or bootloader was used to boot it. In the case of the image file that you write to a flash-stick, the bootloader is now Limine, in a 7MiB fat12 esp partition, and Easy is in a 816MiB ext4 partition.

As I explained in the above link, Limine has just one menu entry, with timeout of zero seconds, so it doesn't even display, bootup goes straight to EasyOS.

If you were doing a frugal install to a partition in an internal drive, if you have previously installed Linux then you would already have a boot-manager installed, most likely GRUB.

So, you would want to make an entry for the boot-manager, that will add the choice of booting EasyOS. Just like the Limine example. But, you would probably only make one entry -- it would be a hassle to make multiple entries for different EasyOS boot options -- like do a filesystem check, boot to the commandline no X, etc.

For over a year, Easy has taken care of that, by offering bootup choices at shutdown:

img1

...very nice, but what about the situation where you can't get X to work? What if you are running in lockdown mode, which is Easy running totally in RAM with drives disabled? -- in that latter case, you can only go back to normal bootup by a choice in the early boot menu.

To cater for special cases like this, I have introduced a small menu in the 'initrd'. At every bootup, you enter a password to un-encrypt folders in the working-partition, and I have added an extra line of text (orange background):

img2

So, if you press ENTER instead of entering the password:

img3

...only two entries there for, now, to test the concept. There is a third entry, that will only appear if you are in lockdown mode, offering to restore normal bootup.

That text ", then press ENTER" is superfluous, have removed it.

So, you get all bootup choices, either at shutdown or in the initrd at bootup, and you only need to create one entry for EasyOS in the boot manager.

Bootup password

At the very first bootup, you are asked to enter a password. You may decline; however, I very strongly recommend that you do enter a password. It only has to be something simple that you will always remember.

One problem in the past, when doing a frugal install, is the ext4 partition chosen, may not have the "encrypt" feature enabled. If the partition is being used for something else, and you are just creating a folder for EasyOS, that will co-exist with whatever, no problem. Enabling encrypt-feature should not upset whatever else is happening in that partition. The ext4 encrypt-feature works on a per-folder basis, so should not affect normal folders.

So, previous behaviour; at first bootup, you enter a password, then you are informed that the ext4 partition does not have encrypt-feature enabled, so the password will be rejected, not required for future bootups. The only thing that attempt at entering a password will have done, is set it as the password for the 'root' user (so it is no longer "woofwoof").

The initrd will now offer to enable the encrypt-feature. This is the new code in the 'init' script (in the initrd):

   ENCflg="$(tune2fs -l /dev/${WKG_DEV} | grep '^Filesystem features: .* encrypt')"
   if [ "$ENCflg" == "" ];then
    echo -e "\\033[1;31m The working-partition does not have ext4 encrypt feature enabled.
This feature is required to encrypt folders. Recommended for your security.
If you decline, future bootups will not ask for a password.\\033[0;39m" #red.
    echo "Press ENTER key to enable encrypt, any other key not to: "
    read wantencrypt
    if [ "$wantencrypt" == "" ];then
     echo "Enabling ext4 folder encryption..."
     sync
     umount /mnt/${WKG_DEV}
     tune2fs -O encrypt /dev/${WKG_DEV}
     if [ $? -ne 0 ];then
      echo -e "\\033[1;31mSorry, enabling folder encryption failed.\\033[0;39m" #red
     else
      echo "...encrypt enabled."
      echo "Note, if for some reason you want to turn it off, remove the EasyOS installation. Then, there are instructions on the Internet to turn off encrypt."
     fi
     sync
     mnt_wkg_ext4_func
     if [ $? -ne 0 ];then
      err_exit "Mounting the working-partition has failed."
     fi
    else
     echo "Folder encrypt support not enabled."
    fi

...I haven't tested it yet.

Two more steps implemented to make usage simpler for the user.    

Tags: easy