Building a read-only Tumbleweed live image with an encrypted rootfs - any way to make this work?

[Ioan Matei]

Hello everyone,

I'm looking for a way to build a Tumbleweed KIWI live image with some variant of encrypted, password-unlockable rootfs that will then be flashed to what essentially is a glorified USB drive. 

The current version of this image is a rather minimal dmsquash-based read-only KIWI live image where the build results in an ISO that is then flashed to the drive. 

This result has worked well so far, including painless Secure Boot support through OpenSuse's shim loader. However I am now confronted with the requirement of encrypting the contents of the root filesystem for further releases of this image.

On a system that's not built automatically I'd use LVM/LUKS for this goal and let GRUB display the password prompt needed to unlock the rootfs. I've also seen in the KIWI docs that there is an option for LUKS for several image types, this doesn't seem to apply to live images though. 

Is there any way to entice KIWI to build a read-only live image that is LUKS-encrypted? Ideally this approach would feature a Secure Boot-compliant GRUB with the standard password prompt known from LVM/LUKS, and produce the same kind of easily flashable ISO that is the output of a standard KIWI live build process. 

(I'm aware that this request is an edge case of an edge case but I'd still be very thankful for any possible solutions to this quagmire).

Thank you!

Ioan