Is it possible to create an encrypted snapshot?

[fan_of_LTS]

This may be a ridiculous question but I'll ask anyway.

I create snapshots including everything for personal use. I put them on a Ventoy USB and can boot into last month, the month before, etc. to occasionally look for something I may have deleted or changed. My password manager, KeepassXC and TOTP is in the backup but is protected by it's own encryption and passphrase.

If I have made major changes and know that I want to keep them, I'll also make a live USB. I always choose to encrypt and use the same Luks passphrase I always use on my installed version. If I use dd the image is not bootable.

Is is possible to use command line tools in MX to make a snapshot that is already encrypted with a given passphrase? For example, the initial boot of the live USB uses a 2 word temporary passphrase. Can the tools be used to pass our own longer passphrase and create an ISO that is bootable but stops at the Luks passphrase as a live install does? I wouldn't necessarily create the USB but if I keep ISOs on a Ventoy drive and they are not encrypted I would need to physically secure these backups since they contain my passwords and more.

Any thoughts on this possibility?

[rod178]

Not that I am aware of, consequently I write all of my MX Snapshots to a LUKS encrypted HDD

":..Can the tools be used to pass our own longer passphrase and create an ISO..." That would seem to be a good idea ie then no need to boot the USB to changed and save to password

[CharlesV]

This is a lot like rod178 does, but a different container.

I keep my saved snapshots on a veracyrpt volume, and then if I need them then I copy out to my ventoy drive.

[atomick]

An Honestly Amazing Concept and idea. Charles mention to copy after creation the snapshot.iso into a vera-crypt volume is remarkably in the form of "Absolute Brilliance" is possibly your best concept to consider.

consider a copy of the vera-crypt version your installed to using, - copy that 2 places, one your system to snapshot say /opt/myApps or something like,
and off your system for the year or 17 month down the road you have to recall these images and get it back to a state you can install and recover by.

So that being "Create your Masters Copy" - consider to document your steps - don't leave out anything.

PS: programs do evolve and odd chance the newer version available at the time you "Have to Restore" is and might not be "backwards compatible"
At least you have a copy of Vera-crypt or like wise available to install and use to allow your recovery of said snapshot image.iso

Right on Charles.

[fan_of_LTS]

Thanks, all. I do keep my snapshots on encrypted drives. Everything is encrypted.

Ventoy is convenient but since I can't encrypt the boot images I keep the Ventoy drive in a safe. I have mounted my encrypted drives to copy snapshots to Ventoy before and use them. I am used to booting to the enter passphrase screen and actually find it disconcerting when using an unencrypted snapshot on Ventoy. It's funny what people get used to...

[CharlesV]

@atomick thanks. @fan_of_LTS indeed that works and as long as the are on encrypted drive I think you have your answer.

[Adrian]

I wonder if it's possible to do, I have to study to see what is the live system doing when it's using encryption for persistence live system -- does it encrypt/decrypt linuxfs? how does it detect the encryption... I assume it would be pretty simple to encrypt linuxfs once is created before the ISO is built (so the ISO stuff like kernel would be unencrypted but linuxfs that contains everything else would be encrypted.

[DukeComposed]

I assume it would be pretty simple to encrypt linuxfs once is created before the ISO is built (so the ISO stuff like kernel would be unencrypted but linuxfs that contains everything else would be encrypted.

My first thought, untested of course, was that the persistent storage partition that Ventoy provides doesn't have to be any certain kind of thing. One could mount it through encfs and store any kind of ISO or linuxfs squashfs data in it.

One could potentially patch mx-snapshot to prompt for a key and encrypt the output but then decrypting that output would be a problem; encrypting the data at creation time is less useful here than encrypting the storage container and then decrypting it when it's needed. At that point one could just as easily make a regular snapshot and use GnuPG or age or scrypt or any other kind of method to encrypt it. Boot Ventoy normally, look at the encrypted data on the persistent partition, create a ramdisk in memory, decrypt the data into the ramdisk, and unsquash it to the target machine.

Seems like a ton of work and it's super easy to screw up, but I'm sure it's doable.

[Adrian]

I was talking about MX/antiX persistence. There's a mechanism to deal with encrypted data, I just need to know if it's possible to encrypt linuxfs and if that mechanism can see that encryption automatically and prompt for password like it does in case of persistence.

[DukeComposed]

I was talking about MX/antiX persistence. There's a mechanism to deal with encrypted data, I just need to know if it's possible to encrypt linuxfs and if that mechanism can see that encryption automatically and prompt for password like it does in case of persistence.

And that's great; my thinking was in terms of cold storage: keeping data encrypted at rest but still able to reference it as a real ISO from, say, Ventoy, or a USB live session running from from an ISO.