LE 9.2 with lvm2, luks (dm-crypt, veracrypt), ext4 encryption and some newclock5 kodi patches

  • Hi sky42,

    thank you for quick update.

    Me I ask for a small change in the future ?

    /usr/share/kodi/system/settings/settings.xml increase maximum setting for "pvrplayback.delaymarklastwatched" to 86400.

    this will prevent to add watched channels for less than 24h ... to main interface, ( I use this to privacy and prevent adding channels not suitable to children... ).

    At the moment I unsquash - edit - squash... for every version of I use on x86, rpi 3, 4...

  • Would love to see this added to the official LibreElec OS. I understand it is a JeOS and want to be minimal as possible but Kodi does not support encryption and many would like to encrypt the files on their devices. All of my computers, phones and tablets are encrypted and I would like my Kodi box to be also.

  • People keep quoting the "many would like to encrypt their devices" line to us yet these images which support that have existed for an extended period of time and user numbers remain consistently between 20-30 users total. It's much like how people seeking 4K HDR with DolbyVision support insist that everyone needs it, yet stats show 60% of our userbase runs an RPi board that can't run over 1080p. This is niche and there are no plans to add it into the core distro. Yes user numbers would increase if we did bake it in, but from exprience within our userbase I'd expect 2x to 3x the number, not the 1000x increase that would justify making the change. I'm sure these images will continue to exist and support the limited numbere who do care about encrypting data.

  • trymeout i'd love that too having it for the masses like on the phone or tablet, but that is not that easy

    I just switched on the kernel support for it and the tools to use it. What is missing, to give encryption of the LE data to end users, is lots of GUI Software for a normal end user. And to make it more complicated it must be done before mounting /storage, so we dont have any config at all.

    The how i know, but i am not the guy to write the GUI software.

    I use my own scripts and systemd units to encrypt all of /storage/.kodi and i also know how to do it for /storage, but these scripts are not good enoug documented to give them away without lots of explanations. If somebody is writing the GUI part i do have the rest of the know how to do a fully encrypted /storage and can explain what the GUI has to do.

  • but from exprience within our userbase I'd expect 2x to 3x the number,

    What is wrong with a 2x or 3x increase in userbase? Should like a lot to me, you will double or triple the userbase which tells me many do want this and it seems to be worthwhile if the reward is doubling or tripling the userbase.

  • Trippling the current userbase would give 66x users total. In perspective that is (rounding up slightly) 0.0002% of our total userbase. We simply are not going to add the amount of complexity required for that number of users. If it were a 1000x fold increase we'd be serious about it, but we do know our userbase, and it won't be.

  • UPDATE: so lsblk, udisksctl, sudo and apt-get are not part of the distro (see below). So I'm out of my depth here. I do have the LibreELEC-RPi4.arm-sky42-9.2.6-#201025.img.gz image running on my Pi4 now and I have SSH'd into the box. But found that I do not have a clue how to try and mount my encrypted SSD from the command line (having tried and failed with the commands above). Any pointers on how to decrypt and mount my SSD would be appreciated?

    Also, what distro is LE based on?
    END UPDATE


    Hi, I'm trying to get LE running on a RaspberryPi 4 (RPi4) with the ability to mount an external encrypted (LUKS) SSD. I'd be grateful if someone can advise if the image: LibreELEC-RPi4.arm-sky42-9.2.6-#201025.img.gz, at the following link, is the correct/best/most current image to use for my purposes: sky42 LibreELEC community builds ?

    Also, if the above image does support LUKS, I would be grateful if someone can tell me if I am on the right track with the following commands to decrypt and mount my SSD?:

    Edited once, last by LibreEcosse: Grammer (August 19, 2021 at 2:57 AM).

  • UPDATE: so lsblk, udisksctl, sudo and apt-get are not part of the distro (see below). So I'm out of my depth here. I do have the LibreELEC-RPi4.arm-sky42-9.2.6-#201025.img.gz image running on my Pi4 now and I have SSH'd into the box. But found that I do not have a clue how to try and mount my encrypted SSD from the command line (having tried and failed with the commands above). Any pointers on how to decrypt and mount my SSD would be appreciated?

    Also, what distro is LE based on?
    END UPDATE


    Hi, I'm trying to get LE running on a RaspberryPi 4 (RPi4) with the ability to mount an external encrypted (LUKS) SSD. I'd be grateful if someone can advise if the image: LibreELEC-RPi4.arm-sky42-9.2.6-#201025.img.gz, at the following link, is the correct/best/most current image to use for my purposes: sky42 LibreELEC community builds ?

    Also, if the above image does support LUKS, I would be grateful if someone can tell me if I am on the right track with the following commands to decrypt and mount my SSD?:

    As said in the documentation (can't remember where), the approach is to define systemd mount services files for each disk/mount point you want to automate.

    If you really just want to do manual mounting, the way to go is:

    - Open the encrypted partition with the luks open tool (this will provide new devices in /dev/mapper/luks-xyz)

    - Mount as usual those luks devices

  • UPDATE: I got the drive manually decrypted, mounted and all working great - thanks. I have added the steps below for future reference. UPDATE END

    Thanks pasnox. This sounds promising. Having an automated process would be ideal. Unfortunately, I'm not techy enough to follow up on your info and I can't find the documentation in the archive linked to above. Any help with specifically how to set up LUKS drive decryption and mounting with systemd mount services and/or pointers to the appropriate documentation would be much appreciated. Thanks again

    ---

    Steps to manually decrypt and mount LUKS partition with the luks open tool:

    1) SSH into Raspberry Pi 4 running LibreELEC;

    2) find the location of the external USB SSD drive - run the command:

    Code
    parted -l

    Output:

    Code
    Model: [SSD model information]
    Disk /dev/sda: [size]GB

    3) decrypt LUKS partition, run command (where drive location is taken from above - I had to add "1" as LUKS partition is the first partition on the drive):

    Code
    cryptsetup luksOpen /dev/sda1 SSD

    Output:

    Code
    Enter passphrase for /dev/sda1:

    4) mount the decrypted partition - first, create the desired mount point:

    Code
    mkdir /media/SSD

    5) Mount the partition:

    Code
    mount -t auto -v /dev/mapper/SSD /media/SSD

    Done - the drive is now accessible through the media centre UI at:

    Code
    /media/SSD

    Edited 4 times, last by LibreEcosse: Error in code (August 19, 2021 at 4:07 PM).

  • If you want to auto mount your encrypted devices, you need to setup scripts like the one present on the libreelec machine at this address:

    .config/system.d/cryptsetup.mount.sample

    From this sample file you can define your own, it's self documented.

    For a fully automated mount, you will need to register a key in plus of the passphrase in the luks partition and store it somewhere so that it can be accessed when needed to decrypt it.

    This of course defeat the purpose of encrypted partition as anybody booting the machine will have access to the content.

    But it's handy when the encrypted disk is not always attached to the libreelec machine.

    Tokens like crypttab, luks key etc will be handy in your web searches to setup the automatic unlock of the encrypted partitions, then the systemd mount services will auto mount the luks mapper devices.

  • and the actual command line i use at the moment on my CentOS7 systems to mount my encrypted drives with a PW given in a script and mounting all

    Code
    stty -echo
    $ECHO -e ">>> Please enter password:    \c"
    read PASS
    stty echo
    
    cryptsetup luksOpen /dev/sdc1 luks-sdc1 - <<< "$PASS" || exit 1

    I'm stuck here. How can I automount truecrypt volume without entering password each time?

    This is the scene: I use Raspberry Pi 5 as mediacenter, my hard disk is encrypted with truecrypt, I connect it to usb port and I would like it is automounted. But using cryptsetup open --type tcrypt /media/container.tc tcrypt-sda1 I need to manually enter a password each time.