Index: catalyst/trunk/modules/livecd_stage2_target.py
===================================================================
--- catalyst/trunk/modules/livecd_stage2_target.py	(revision 1234)
+++ catalyst/trunk/modules/livecd_stage2_target.py	(working copy)
@@ -22,7 +22,9 @@
 			"livecd/root_overlay","livecd/devmanager","livecd/users",\
 			"portage_overlay","livecd/cdfstype","livecd/fstype","livecd/fsops",\
 			"livecd/linuxrc","livecd/bootargs","gamecd/conf","livecd/xdm",\
-			"livecd/xsession","livecd/volid"])
+			"livecd/xsession","livecd/volid","encryption/method",\
+			"encryption/key","encryption/keypath","encryption/keysize",\
+			"encryption/options"])
 		
 		generic_stage_target.__init__(self,spec,addlargs)
 		if not self.settings.has_key("livecd/type"):
Index: catalyst/trunk/targets/livecd-stage2/livecd-stage2-controller.sh
===================================================================
--- catalyst/trunk/targets/livecd-stage2/livecd-stage2-controller.sh	(revision 1234)
+++ catalyst/trunk/targets/livecd-stage2/livecd-stage2-controller.sh	(working copy)
@@ -102,9 +102,14 @@
 		;;
 	bootloader)
 		shift
-		# Here is where we poke in our identifier
+		# Here is where we poke in our identifier and the key (if existent)
 		touch $1/livecd
 		
+		if [ "${clst_encryption_keypath}" ]
+		then
+			echo "${clst_encryption_keypath}" > $1/livecd
+		fi
+		
 		# Move over the readme (if applicable)
 		if [ -n "${clst_livecd_readme}" ]
 		then
Index: catalyst/trunk/targets/support/target_image_setup.sh
===================================================================
--- catalyst/trunk/targets/support/target_image_setup.sh	(revision 1234)
+++ catalyst/trunk/targets/support/target_image_setup.sh	(working copy)
@@ -1,6 +1,7 @@
 
 . ${clst_sharedir}/targets/support/functions.sh
 . ${clst_sharedir}/targets/support/filesystem-functions.sh
+. ${clst_sharedir}/targets/support/encryption-functions.sh
 
 # Make the directory if it doesnt exist
 mkdir -p $1
@@ -41,4 +42,10 @@
 then
 	die "Filesystem not setup"
 fi
-exit $loopret
+
+if [ "${clst_encryption_method}" ]
+then
+	start_encryption $1/${loopname}
+fi
+
+exit $?
Index: catalyst/trunk/targets/support/functions.sh
===================================================================
--- catalyst/trunk/targets/support/functions.sh	(revision 1234)
+++ catalyst/trunk/targets/support/functions.sh	(working copy)
@@ -190,6 +190,10 @@
 			cmdline_opts="${cmdline_opts} ${x}"
 		done
 	fi
+	if [ "${clst_encryption_method}" ]
+	then
+		cmdline_opts="${cmdline_opts} crypt_root=livecd"
+	fi
 }
 
 check_filesystem_type(){
Index: catalyst/trunk/targets/support/kmerge.sh
===================================================================
--- catalyst/trunk/targets/support/kmerge.sh	(revision 1234)
+++ catalyst/trunk/targets/support/kmerge.sh	(working copy)
@@ -48,6 +48,11 @@
 	then
 		GK_ARGS="${GK_ARGS} --linuxrc=/tmp/linuxrc"
 	fi
+
+	if [ "${clst_encryption_method}" ]
+	then
+		GK_ARGS="${GK_ARGS} --luks"
+	fi
 }
 
 genkernel_compile(){
Index: catalyst/trunk/targets/support/encryption-functions.sh
===================================================================
--- catalyst/trunk/targets/support/encryption-functions.sh	(revision 0)
+++ catalyst/trunk/targets/support/encryption-functions.sh	(revision 0)
@@ -0,0 +1,115 @@
+. ${clst_sharedir}/targets/support/functions.sh
+
+devices_off(){
+	cryptsetup luksClose catalyst
+	losetup -d ${clst_encryption_loop}
+}
+
+free_loop(){
+	echo "Searching for a free loop from /dev/loop0..."
+	local loop=0
+	while true
+	do
+		if [ ! -b "/dev/loop${loop}" ]
+		then
+			exit 1
+		fi
+		# If the loop-device is "free" then break
+		losetup "/dev/loop${loop}" &>/dev/null || break
+		let loop=loop+1
+	done
+	export clst_encryption_loop="/dev/loop${loop}"
+}
+	
+
+encrypt_loop(){
+
+# $1 = loop file address
+# $2 = loop device
+# $3 = encryption method
+# $4 = keyfile
+# $5 = clst_encryption_options
+# $6 = keysize
+
+echo "Encrypting the cd using $2 and /dev/mapper/catalyst"	
+
+local luks_block_size=$(stat -c "%B" $1)
+
+local luks_size=$(($(stat -c "%b" $1)+8+8*${6}))
+# Normal size plus space for luks (linear in the keysize)
+
+
+echo "Creating empty container..."
+dd if=/dev/zero of=$1_crypt.img count=${luks_size} bs=${luks_block_size} conv=notrunc \
+		|| die "Could not create container file with dd, disk full?"
+
+echo "Placing container in loop $2"
+losetup $2 $1_crypt.img || die "Couldn't setup the loop. Do you have loop support in the kernel?"
+
+# Do not remove the previous 'die', it would format an occupied loop
+
+case "$3" in
+	manual)
+		echo 'Creating LUKS image'
+		cat $4 | cryptsetup -s ${6} ${5} luksFormat $2 \
+			|| (devices_off; die "Failed to luksFormat. Is Luks configured and are kernel requirements met?")
+		echo 'Opening LUKS image'
+		cat $4 | cryptsetup luksOpen $2 catalyst \
+			|| (devices_off; die "Failed to open the luks device")
+		;;
+	keyfile)
+		echo 'Creating LUKS image'
+		cryptsetup ${5} luksFormat $2 $4 \
+			|| (devices_off; die "Failed to luksFormat. Is Luks configured and are kernel requirements met?")
+		echo 'Opening LUKS image'
+		cryptsetup --key-file $4 luksOpen $2 catalyst \
+			|| (devices_off; die "Failed to open the luks device")
+		;;
+	*)
+		devices_off
+		die 'Option for encrypt/method not recognized'
+		;;		
+esac
+
+echo 'Copying root filesystem to container'
+
+dd if=$1 of=/dev/mapper/catalyst conv=notrunc \
+	|| (devices_off; die "Failed to put loop contents in Luks image.\
+		Could be bad container size estimative. \
+		Please report this error in the Catalyst mailing list")
+
+cryptsetup luksClose catalyst || \
+	die "Luks image could not br closed, and loop will be left open. \
+		Unknown error occurred"
+
+losetup -d $2 || die "Loop not closed. Unknown error occurred"
+
+echo 'Loop was closed, encryption terminated'
+
+rm $1
+mv $1_crypt.img $1
+
+}
+
+
+start_encryption(){
+	# $1 = loop image
+
+	local keysize
+
+	if [ ! -s "${clst_encryption_key}" ]
+		then die "Key wasn't found"
+	fi
+	#otherwise luks keeps waiting for stdin
+
+        if [ "${clst_encryption_keysize}" ]
+        then keysize=${clst_encryption_keysize}
+        else keysize=256
+        fi
+
+	free_loop || die "Couldn't find available loop"
+	encrypt_loop $1 "${clst_encryption_loop}" "${clst_encryption_method}" "${clst_encryption_key}" "${clst_encryption_options}" "${keysize}"
+	loopret=$?
+	unset clst_encryption_loop
+	exit $loopret
+}
Index: catalyst/trunk/examples/livecd-stage2_template.spec
===================================================================
--- catalyst/trunk/examples/livecd-stage2_template.spec	(revision 1234)
+++ catalyst/trunk/examples/livecd-stage2_template.spec	(working copy)
@@ -85,6 +85,7 @@
 # zisofs - This uses in-kernel compression and is supported on all platforms.
 # normal - This creates a loop without compression.
 # noloop - This copies the files to the CD directly, withuot using a loopback.
+# (but encryption is only supported with loops)
 # example:
 # livecd/fstype: squashfs
 livecd/fstype:
@@ -361,3 +362,25 @@
 # example:
 # livecd/rm: /lib/*.a /usr/lib/*.a /usr/lib/gcc-lib/*/*/libgcj* /etc/dispatch-conf.conf /etc/etc-update.conf /etc/*- /etc/issue* /etc/make.conf /etc/man.conf /etc/*.old /root/.viminfo /usr/sbin/bootsplash* /usr/sbin/fb* /usr/sbin/fsck.cramfs /usr/sbin/fsck.minix /usr/sbin/mkfs.minix /usr/sbin/mkfs.bfs /usr/sbin/mkfs.cramfs /lib/security/pam_access.so /lib/security/pam_chroot.so /lib/security/pam_debug.so /lib/security/pam_ftp.so /lib/security/pam_issue.so /lib/security/pam_mail.so /lib/security/pam_motd.so /lib/security/pam_mkhomedir.so /lib/security/pam_postgresok.so /lib/security/pam_rhosts_auth.so /lib/security/pam_userdb.so /usr/share/consolefonts/1* /usr/share/consolefonts/7* /usr/share/consolefonts/8* /usr/share/consolefonts/9* /usr/share/consolefonts/A* /usr/share/consolefonts/C* /usr/share/consolefonts/E* /usr/share/consolefonts/G* /usr/share/consolefonts/L* /usr/share/consolefonts/M* /usr/share/consolefonts/R* /usr/share/consolefonts/a* /usr/share/consolefonts/c* /usr/share/consolefonts/dr* /usr/share/consolefonts/g* /usr/share/consolefonts/i* /usr/share/consolefonts/k* /usr/share/consolefonts/l* /usr/share/consolefonts/r* /usr/share/consolefonts/s* /usr/share/consolefonts/t* /usr/share/consolefonts/v* /etc/splash/livecd-2006.1/16* /etc/splash/livecd-2006.1/12* /etc/splash/livecd-2006.1/6* /etc/splash/livecd-2006.1/8* /etc/splash/livecd-2006.1/images/silent-16* /etc/splash/livecd-2006.1/images/silent-12* /etc/splash/livecd-2006.1/images/silent-6* /etc/splash/livecd-2006.1/images/silent-8* /etc/splash/livecd-2006.1/images/verbose-16* /etc/splash/livecd-2006.1/images/verbose-12* /etc/splash/livecd-2006.1/images/verbose-6* /etc/splash/livecd-2006.1/images/verbose-8* /etc/make.conf.example /etc/make.globals /etc/resolv.conf
 livecd/rm:
+
+
+# If you do not want your livecd encrypted with LUKS leave this empty. 
+# Possible values are 'keyfile' or 'manual'. Specifies whether you want 
+# to boot your livecd with a 'keyfile' or by manually inserting the key 
+# with 'manual'.
+# You must configure the kernel config to work with luks, as usual
+encryption/method:
+
+# If above you chose 'keyfile' or 'manual', then below you need to specify 
+# the file which contains the binary keyfile or the password.
+encryption/key:
+
+# Insert cryptsetup luksFormat options (such as --cipher and --verify-passphrase).
+#encryption/options:
+
+# Sets the luksFormat keysize, defaults to 256.
+#encryption/keysize:
+
+# If using 'keyfile', indicate the full relative location of the key from the root 
+# of the device you're going to use when opening the cd.
+encryption/keypath: