Is it possible to create an encrypted snapshot?

[rod178]

Writing the Snasphot to an encyrpted container, LUKS physical device or fscrypt folder if restricted on a laptop or such, is the easy part. I would still like to be able to automatically write the iso to the USB stick, with a password that was set in the Snapshot creation process. Also would like to permanently change the path of the Snapshot

[thomasl]

Somewhat OT but another angle would be to step back and delegate the decrypting step(s) to Ventoy itself. This would enable storing all sorts of ISOs/WIMs/etc with confidential information on a stick. Basically Ventoy would need to recognise that some file is not bootable as-is but is an encrypted container (say a VeraCrypt file though any reliable and secure encrypted container format could be used). It would then ask for credentials, mount the container and start the ISO/WIM/etc inside the container. Easier said than done, I know, and also outside the realm of MX.

[dolphin_oracle]

Writing the Snasphot to an encyrpted container, LUKS physical device or fscrypt folder if restricted on a laptop or such, is the easy part. I would still like to be able to automatically write the iso to the USB stick, with a password that was set in the Snapshot creation process. Also would like to permanently change the path of the Snapshot

the gui tool might not support it, but the command line live-usb-maker tool will let you specify the password at live-usb creation.

Code: Select all

--encrypt=<flag>      Phasephrase option:
                           ask         Enter the passphrase via the keyboard
                           first-boot  Force user to set phrase on first boot
                           file=xxx    Read phrase from file <xxx>
                           random      Generate a random passphrase
                           random=N    Generate a random passhphrase containing
                                       N words (1 -- 20 allowed)

[rod178]

Thanks I'll have a look

I have also previously endeavoured to change the path in /etc/mx-snapshot.conf
In the gui the change did not stick.

[atomick]

That file is the primary - the one you should change is at your home directory

Code: Select all

  /home/me/.config/MX-Linux/mx-snapshot.conf   

consider a copy before modify, in the middle is the Save too mx-snapshot_directory=/home/snapshot - this is the what you can change to your other partition directory/snapshot
I have a 2T drive split 2x 1T partitions for snapshot and vbox clones . it is also set to hidden and it is only owned by myself (perms 0700) and also has the stickky bit enabled.
it is auto mounted via the /etc/fstab and the mount point is also .hidden So in a form its safe from Web access down the throat of any browser no matter how you might feel to think you are protected in a form you are not.

one concept is to write a mount by need a script to mount up a drive set to retain your encryption protection. And umount when finished with copy transfers for saving.

Would think by your impress that you maybe doing crypto trade and want to keep everything as super safe you can.
So if you have some level of protection working on line for doing this. Anything Upstream you perform is now the magnitude of your protections schema. As Charles So Brilliantly suggest to keeping snapshots into a vera-crypt vault is most excellent.
a one step up would be make this vault only accessible to your self when your offline and disconnected or your nic both eth0 and wlan0 are offline downed or cable and wifi disconnected and turned off. "BEFORE you Enable turn up mount this Protected Vault "

That alone is going to be a safe challenge and I recommend 3x that protection as well. With 2 of those copies off out of the systems. Tape backups for Enterprise have 3 copies 2 are off site as backup to the backup.
As well now you have wicked hard long Passwd Keys / wallets to contend with and their encryption worries for what say happen 18 months from now.

Think this thru when you complete a method "Test IT" if your familiar with VirtualBox continue with and clone your snapshot to guest in Vbox and test your theory practical.
And Document everything for that practical purpose your mind is in sync with your hands and brain is operation for handling it all. And then some. Think of the inevitable and its circumstances can save you that duration when you might be tested for this. and your self.

Food for thought.

PS: consider to try but think the purpose use for snapshot is best suited for its purpose - optn 2 "Resetting Accounts" here you can when deploy to another workstation or device or VBox Guest to proof test the image containment.
there is where you can retain the HD Full encryption and even change it but this can get real testy on grey matter down the road.

Flash copy and find to be devious on how you hide such in your house or bury it in a jar in your back yard with the dog.

Tree holes are no longer a good hide place. This topic alone could real chapters of imagination and things to do try and suggest let alone be overwhelming to detail.
consider all concept even write pro / con down a page and run thru this. Sounds really silly believe me in 2yrs from now this is all going to be mush unless you practice a something method procedures. It will make sense 2 yrs from now.

Logical Thought Process. Cheers.

[rod178]

/home/rod/.config/MX-Linux/mx-snapshot.conf did the trick

PS imo VeraCrypt is only applicable if you are not using ext4, require cross platform compatibility and plausible deniability . In all other cases fscrypt is the better option

For physical devices LUKS is the better option

There is no need to hide devices if using strong passwords, especially with LUKS. I actually carry all of my encrypted files in my keycase on a micro usb drive, in case the house burns down
My Desktop MX drive and Data Drives are LUKS encrypted
Several Laptops, accessible by multiple users, contain fscrypt encrypted directories, accessible to individual users via passwords

Use VeraCrypt if:
-You need cross-platform compatibility (e.g., sharing encrypted containers with Windows or macOS).
-Plausible deniability is important (e.g., hidden volumes for sensitive data).
-You prefer a GUI or need to encrypt portable drives or specific container files.
- you are not using ext4
--Example: Encrypt a USB drive for use across Linux and Windows systems.

Use fscrypt if:
-You only need to encrypt specific directories or files (e.g., /home/user/documents ).
-You prioritize performance and want minimal overhead on ext4 filesystems.
-Metadata leakage is not a concern for your threat model.
--Example: Encrypt a user’s home directory on a multi-user MX Linux system.

Use LUKS if:
-You need full-disk encryption or want to encrypt entire partitions.
-You prioritize native integration and performance on MX Linux.
-Cross-platform support is not required, and you want a mature, Linux-centric solution.
--Example: Encrypt the entire system drive for a single-user laptop.

[fan_of_LTS]

Given the usb maker command line version, it seems the only thing missing is the ability to have it output an ISO instead of requiring the physical drive. I hadn't noticed the option to provide the passphrase as a file. I usually just booted my flash drives and retyped the same passprhrase I usually use for external media.

[rod178]

I later ran

Code: Select all

 mx-snapshot --cli

Unlike running from the gui, it used

Code: Select all

 /etc/mx-snapshot.conf

ie instead of

Code: Select all

/home/rod/.config/MX-Linux/mx-snapshot.conf

To create the password protected LiveUSB

Code: Select all

sudo live-usb-maker --encrypt --password="my_password" -t /dev/sdU -i /path/to/mx-linux-23.iso

Can customize the live USB further with options like:
--percent=XX: Set the percentage of the USB drive to use (e.g., --percent=50 for 50% of the drive).
--label=NAME: Set a custom label for the filesystem (e.g., --label=MXLiveUSB).
--persist: Enable persistence to save changes across reboots (e.g., --persist=home for home directory persistence).

When I have some spare time I'll have a crack at running through a dialogue using Yad.

[rod178]

Code: Select all

$ sudo live-usb-maker
[sudo] password for rod:        
===============================================================================
Starting live-usb-maker 2.41.19-2302
===============================================================================
Only one target usb device was found sdf
Will use target device sdf (57.3G USB SanDisk 3.2Gen1)
                                                                                                  
Please select an action to perform                                                                
  > Make a full-featured live-usb                                                                 
  > Start live-usb with a data partition                                                          
  > Make an encrypted full-featured live-usb                                                      
  > Make a customized live-usb (includes encryption option)                                       
  > Other options                                                                                 
Press <Enter> to select the highlighted entry                                                     
Use 'h' for help, 'r' to redraw, 'q' to quit