LE 10.0 added lvm2, luks (dm-crypt, veracrypt), mdraid, ext4 encryption

  • download link sky42 LibreELEC community builds

    latest is 10.0.2-#220810


    If you have any problems please install offcial LibreELEC version on which my build is based on and test again. If the problem is the same it is most likely not my build.

    If you dont use any of the following additions i made, then my images have no benefit for you and you should use the official build.


    the following was added in my community build:

    - /flash 1024MB

    - no GUI tools for the encryptiom, lvm2 or mdraid

    - enable kernel config for lvm2 and snapshots (no cache, no thin)

    - added lvm2 tools (config is under /storage/.config/lvm)

    - enable kernel config for software raid with lvm2 and standalone with mdraid

    - added mdraid to control linux software raid

    - enable kernel config for dm-crypt to use cryptsetup (compatible with luks, veracrypt, truecrypt)

    - added cryptsetup to manage encrypted block devices with luks, veracrypt and some more

    - enabled /etc/crypttab support in systemd

    - enable kernel config for ext4 filesystem encryption

    - added fscryptctl to manage ext4 encryption

    - enable kernel config for more crypto modules and options

    - curl: enable protocol support for scp, sftp, smb, smbs

    - versions: cryptsetup-2.3.7, lvm2-2.03.11, fscryptctl-1.0.0, mdadm-4.1


    Builds are done for all official LE 10 supported architectures that are so far Generix x86_64, RPi4, RPi2, Allwinner and Rockchip.

    I testet so far only Generic in booting and using cryptsetup.

    RPi2, Allwinner or Rockchip is just build and never installed or tested.


    The following links are only for people who are interested in the source code of my builds.

    You will find them in my GitHub account sky42src (sky42) · GitHub

    full source of my LE 10.0

    GitHub - sky42src/LibreELEC.tv at libreelec-10.0.x

    diff of my source to LE 10.0

    you find in the release post


    Have Fun

    sky42

  • Go to Best Answer
  • Excuse me, can the following features achieve the purpose of protecting the SYSTEM? Because I modified SYSTEM, I want to protect it to prevent third parties from being able to decompress it. Can it be achieved through these two features? If so, how to do it?


    - enable kernel config for ext4 filesystem encryption

    - added fscryptctl to manage ext4 encryption

    • Official Post

    Enabling EXT4 filesystem encryption config results in a kernel that supports EXT4 encrypted filesystems. You would still need to modify LE to use an encrypted EXT4 filesystem within the squashfs SYSTEM file. Adding fscryptctl adds a tool to manage encryption, but since this tool is inside a read-only file (SYSTEM) it will not be able to modify the active SYSTEM file. Making LE boot from an encrypted SYSTEM file is probably not impossible (but there is no how-to, so don't ask) but I wouldn't see any advantage to that approach over using sky42 images which can provide encyption to /storage where you can place any sensitive binaries/configuration/content.

  • Enabling EXT4 filesystem encryption config results in a kernel that supports EXT4 encrypted filesystems. You would still need to modify LE to use an encrypted EXT4 filesystem within the squashfs SYSTEM file. Adding fscryptctl adds a tool to manage encryption, but since this tool is inside a read-only file (SYSTEM) it will not be able to modify the active SYSTEM file. Making LE boot from an encrypted SYSTEM file is probably not impossible (but there is no how-to, so don't ask) but I wouldn't see any advantage to that approach over using sky42 images which can provide encyption to /storage where you can place any sensitive binaries/configuration/content.

    Thank you very much for your meticulous reply.

    But there is a question. After I use @sky42's image, how to encrypt and decrypt files specifically, is there a help manual? In addition, after the script file is encrypted, will it be decrypted when the system is executed?

    • Best Answer

    matthuo I am sorry the use of ext4 filesystem encryption is very bad documented and the most helpfull would be reading how to use fscryptctl. There is no script to automtic mount these ext4 encryption. I build some rather complicated ones for my self, but they are in no shape to give them away.


    The most promising to automate is full disk or partion encrytion with luks and there is plenty of instructions out there how to do it.


    With NBDE one can do full disk encryption bound to the nework where servers are to get the decrytion key from (that is over simplyfied), but for that i need at least to put clevis in LE, what i have not yet done. You need at least one tang backend server in the network to automatic decrypt at boot if the OS supports that.

    RHEL 7 and 8 (and Clones like CentOS, AlmaLinux and Rocky Linux) do support NBDE and we use it at work.


    Some links about the rather heavy topic of Network Bound Disk Encryption
    Network-Bound Disk Encryption in Red Hat Linux 7 - Cybersecurity Insiders

    Network-Bound Disk Encryption | Heinlein Support GmbH

    Chapter 12. Configuring automated unlocking of encrypted volumes using policy-based decryption Red Hat Enterprise Linux 8 | Red Hat Customer Portal

    Network-Bound Disk Encryption improvements in RHEL 8

  • fourbian you did not miss anythimg. There is a bug in my RPi4 image and Lenoxi find it and wrote me. I missed the change of kernel config file as RPi4 kernel changed to 64 bit and my autodetect is looking in the wrong kernel config to see if encryption is enabled.

    I will fix that.

  • Oh and i was neglecting my LE images. I did build a 10.01 but never did release it. Will fix that too. Sorry.

  • Release version 10.0.1-#211219 not for Rockchip

    download link sky42 LibreELEC community builds


    based on https://libreelec.tv/2021/11/03/libreelec-matrix-10-0-1/


    - upstream update from libreelec-10.0 branch up to mid day 2021-12-19

    - kernel update to 5.10.87 (could not fix patches for Rockchip)

    - RPi4 fix now with all the crypttools and kernel options (i really did patch the wrong kernel config, thanks Lenoxi )


    diff of my source
    https://github.com/LibreELEC/L…...sky42src:10.0.1-211219



    fourbian now RPi4 is fixed

  • Hi Sky

    Just installed the latest update and it is working nicely for me.

    Mainly writing to thank you for your work on this version. Was about to give up on LibreELEC and go back to RasberyOS when I found it. Its great to have an encrypted option.


    Best regards

    Padraic


    PS, I did notice that the screen saver is not working well with the new version. It seems to put the system to sleep rather than dim the screen.

  • PMA1 for the screensave part please try official LE and check if the problem is also there. If not i can not really help, because i just patched in the encryption.

    Next on my list is to include clevis, so that i can use NDBE. But i dont thing this year.

  • Release version 10.0.2-#220520

    download link sky42 LibreELEC community builds


    based on https://libreelec.tv/2022/03/09/libreelec-matrix-10-0-2/


    - update to latest upstream commit in branch libreelec-10.0
    - kernel update to 5.10.117 for Generic, RockChip and Allwinner

    - kernel update 5.10.110 (latest RPi 5.10.y source)


    diff of my source

    Comparing LibreELEC:542aae4...sky42src:14c125d · LibreELEC/LibreELEC.tv
    Just enough OS for KODI. Contribute to LibreELEC/LibreELEC.tv development by creating an account on GitHub.
    github.com