Paranoid Penguin - Customizing Linux Live CDs, Part II

Use encrypted folders with your custom live CD.

Last month, I described a simple procedure for customizing the standard Ubuntu Desktop 7.10 live CD. We got as far as uninstalling software packages to make room for other things, installing some of those other things and updating all packages on the live CD image.

This month, I go a step further by creating a TrueCrypt-encrypted Documents directory that you can mount from a USB drive, in conjunction with your live CD. Although that's handy in and of itself, you'll be able to use the same method, with only minor modifications, to encrypt other important directories as well.

As with last month's article, here I use Ubuntu both as the master system to customize and repackage our live CD and for the source of the live CD ISO image we'll customize. It's a popular and surprisingly compact mainstream distribution. So, also like last month's column, much of what follows will apply directly to other squashfs-based distributions, such as Linux Mint, SLAX and BackTrack (not to mention Ubuntu variants, such as Kubuntu and Edubuntu), and indirectly to most other live CD distributions.

I'm going to avoid the temptation to make this article a ground-up tutorial on volume encryption in general or TrueCrypt specifically. Either topic would make a substantial article all by itself. Maybe I'll tackle those at a later date, unless I can persuade the Paranoid Penguin's Minister of Cryptographic Outreach, Tony Stieber, to tackle them for me. (You may remember Tony's articles “GnuPG Hacks” and “OpenSSL Hacks” in the March 2006 and July 2006 issues of Linux Journal, respectively). But, I will show you how to install TrueCrypt on Ubuntu systems, and how to create and mount TrueCrypt volumes.

Installing TrueCrypt

Although I just disclaimed the intention of making this a TrueCrypt primer, a little introduction is in order. TrueCrypt is a free, open-source, cross-platform volume-encryption utility. It's also highly portable. The TrueCrypt binary itself is self-contained, and any TrueCrypt volume can be mounted on any Windows or Linux system on which the TrueCrypt binary will run or compile. TrueCrypt can be run either from a command line or in the X Window System.

TrueCrypt is becoming quite popular and is held in high regard by crypto experts I know (it appears to be a sound implementation of known, good algorithms like AES and Twofish), but its license is a bit complicated. For this reason, TrueCrypt hasn't yet been adopted into Debian or Ubuntu officially, even though Ubuntu 8.10's universe packages easycrypt and gdecrypt depend on it (see the Ubuntu 7.10 vs. 8.4 sidebar).

So, to install TrueCrypt on an Ubuntu system, you need to download it directly from When I was writing this article, TrueCrypt version 5.1 was current, and the Ubuntu deb file I downloaded was called truecrypt-5.1-ubuntu-x86.tar.gz, though by the time you read this, it may be something else. Besides an Ubuntu deb package, TrueCrypt also is available as a SUSE RPM file (that also might work on other RPM-based distros) and as source code.

Now, it's time to install TrueCrypt. You're going to need to install TrueCrypt in at least two places: on the master system you're using to create your custom live CD and either on the live CD image itself or on whatever removable media (such as a USB drive) you're going to keep your encrypted volume.

First, let's install TrueCrypt on the master system. Open a command shell, unpack the TrueCrypt archive in your home directory, and change your working directory to the directory that gets unpacked:

bash-$ tar -xzvf ./truecrypt-5.1-ubuntu-x86.tar.gz

bash-$ cd truecrypt-5.1

Next, use the dpkg command to install the deb file:

bash-$ sudo dpkg -i ./truecrypt_5.1-0_i386.deb

With TrueCrypt 5.1, only three files are installed on your system: its license and user guide, both in /usr/share/truecrupt/doc/, and the binary itself, /usr/bin/truecrypt. TrueCrypt doesn't require any special kernel modules; it's a monolothic process. This means that if you copy /usr/bin/truecrypt to the same Flash drive on which you keep your encrypted volume, you won't need to install it on your Ubuntu live CD.

You may prefer doing so anyhow. Here's how:

  1. Follow steps 00–12 in the procedure I described last month for mounting your custom ISO and chrooting into it (see Appendix).

  2. From a different, non-chrooted shell, copy the TrueCrypt deb package truecrypt_5.1-0_i386.deb into the ISO root you just chrooted into (isonew/custom/ in last month's examples).

  3. Back in your chrooted shell, run dpkg -i ./truecrypt_5.1-0_i386.deb (no sudo necessary here, as you're already root).

  4. Finally, follow steps 19–33 from last month's procedure to clean up, unmount and repackage your custom live CD image. And, of course, use your CD-burning application of choice to burn your image into a shiny new live CD