From 5f370c2cdb481637e2d5fd08acf684ebf7802733fe0acc6f40e5e6c0103f97fb Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Thu, 13 Nov 2025 06:26:44 +0100
Subject: [PATCH] V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 .archive/.0000_lib_usage.sh                   | 142 ----------
 .archive/0002_verify_checksums.chroot         | 248 ------------------
 .archive/0003_install_backports.chroot        |  37 ---
 .archive/0005_tmpfile_dublette.chroot         |  72 -----
 .archive/9998_sources_list_bookworm.chroot    |  60 -----
 .archive/generate_PRIVATE_trixie_0.yaml       |   2 +-
 .archive/generate_PRIVATE_trixie_1.yaml       |   2 +-
 .archive/generate_PUBLIC_iso.yaml             |   2 +-
 .archive/lib_lb_config_write.sh               | 115 --------
 .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml     |   2 +-
 .gitea/TODO/dockerfile                        |   2 +-
 .gitea/TODO/render-md-to-html.yaml            |   2 +-
 .gitea/trigger/t_generate_dns.yaml            |   2 +-
 .../workflows/generate_PRIVATE_trixie_0.yaml  |   2 +-
 .../workflows/generate_PRIVATE_trixie_1.yaml  |   2 +-
 .gitea/workflows/generate_PUBLIC_iso.yaml     |   2 +-
 .gitea/workflows/linter_char_scripts.yaml     |   2 +-
 .gitea/workflows/render-dnssec-status.yaml    |   2 +-
 .gitea/workflows/render-dot-to-png.yaml       |   2 +-
 .version.properties                           |   2 +-
 CISS.debian.live.builder.spdx                 |   2 +-
 README.md                                     |   6 +-
 REPOSITORY.md                                 |   4 +-
 ciss_live_builder.sh                          |   5 +-
 .../hooks/live/0001_initramfs_modules.chroot  |   1 +
 .../live/0002_hardening_overlay_tmpfs.chroot  |  63 +++++
 .../hooks/live/0021_dropbear_initramfs.chroot |   9 +-
 config/hooks/live/0100_ciss_mem_wipe.chroot   | 209 +++++++++++++++
 config/hooks/live/9999_zzzz.chroot            |   7 +-
 ...ary => zzzz_ciss_crypt_squash.hook.binary} |   2 +-
 config/includes.chroot/.ciss/.keep            |  10 +
 .../includes.chroot/.ciss/attestation/.keep   |  10 +
 config/includes.chroot/etc/ciss/.keep         |  10 +
 .../includes.chroot/etc/initramfs-tools/.keep |  10 +
 .../initramfs-tools/files/unlock_wrapper.sh   |  15 +-
 .../files/unlock_wrapper_signer.sh            |   6 +-
 .../hooks/9999_ciss_custom_prompt.sh          |   2 +-
 .../hooks/9999_ciss_debian_live_builder.sh    |  11 +-
 .../init-premount/1000_ciss_fixpath.sh        |   2 +-
 .../scripts/init-top/0000_ciss_fixpath.sh     |   2 +-
 .../includes.chroot/etc/ssh/ssh_known_hosts   |   2 +-
 config/includes.chroot/etc/ssh/sshd_config    |   2 +-
 .../etc/sysctl.d/99_local.hardened            |   6 +-
 config/includes.chroot/etc/systemd/.keep      |  10 +
 .../includes.chroot/etc/systemd/system/.keep  |  10 +
 .../preseed/.iso/preseed_hash_generator.sh    |   2 +-
 config/includes.chroot/preseed/preseed.cfg    |   2 +-
 .../lib/live/boot/0022-ciss-overlay-tmpfs.sh  |  60 +++++
 .../usr/lib/live/boot/0024-ciss-crypt-squash  | 170 ++++++++++++
 .../lib/live/boot/0026-ciss-early-sysctl.sh   |  50 ++++
 ...y-checksums => 0030-ciss-verify-checksums} | 166 ++++++++----
 .../live/boot/0042-ciss-post-decrypt-attest   | 194 ++++++++++++++
 docs/AUDIT_DNSSEC.md                          |   2 +-
 docs/AUDIT_HAVEGED.md                         |   2 +-
 docs/AUDIT_LYNIS.md                           |   2 +-
 docs/AUDIT_SSH.md                             |  16 +-
 docs/AUDIT_TLS.md                             |   2 +-
 docs/BOOTPARAMS.md                            |   2 +-
 docs/CHANGELOG.md                             |  42 ++-
 docs/CNET.md                                  |   2 +-
 docs/CODING_CONVENTION.md                     |   2 +-
 docs/CONTRIBUTING.md                          |   2 +-
 docs/CREDITS.md                               |   2 +-
 docs/DL_PUB_ISO.md                            |   2 +-
 docs/DOCUMENTATION.md                         |   9 +-
 docs/MAN_CISS_ISO_BOOT_CHAIN.md               | 185 +++++++++++++
 docs/MAN_SSH_Host_Key_Policy.md               |   2 +-
 docs/REFERENCES.md                            |   2 +-
 lib/lib_arg_parser.sh                         |   6 +
 lib/lib_cdi.sh                                |   2 +-
 lib/lib_check_secrets.sh                      |   9 +-
 lib/lib_ciss_signatures.sh                    |  68 +++++
 lib/lib_ciss_upgrades_boot.sh                 |  38 +--
 lib/lib_gnupg.sh                              |  28 +-
 lib/lib_lb_config_write_trixie.sh             |   2 +-
 lib/lib_primordial.sh                         |  13 +-
 lib/lib_usage.sh                              |   7 +-
 ...y-checksums => 0030-ciss-verify-checksums} |  65 +++--
 .../usr/lib/live/build/binary_checksums.sh    |   4 +-
 scripts/usr/lib/live/build/binary_rootfs.sh   |   1 +
 scripts/usr/local/sbin/9999_cdi_starter.sh    |  14 +-
 var/early.var.sh                              |   2 +-
 var/global.var.sh                             |   2 +
 83 files changed, 1422 insertions(+), 877 deletions(-)
 delete mode 100644 .archive/.0000_lib_usage.sh
 delete mode 100644 .archive/0002_verify_checksums.chroot
 delete mode 100644 .archive/0003_install_backports.chroot
 delete mode 100644 .archive/0005_tmpfile_dublette.chroot
 delete mode 100644 .archive/9998_sources_list_bookworm.chroot
 delete mode 100644 .archive/lib_lb_config_write.sh
 create mode 100644 config/hooks/live/0002_hardening_overlay_tmpfs.chroot
 create mode 100644 config/hooks/live/0100_ciss_mem_wipe.chroot
 rename config/hooks/live/{zzzz_luks_squash.hook.binary => zzzz_ciss_crypt_squash.hook.binary} (98%)
 create mode 100644 config/includes.chroot/.ciss/.keep
 create mode 100644 config/includes.chroot/.ciss/attestation/.keep
 create mode 100644 config/includes.chroot/etc/ciss/.keep
 create mode 100644 config/includes.chroot/etc/initramfs-tools/.keep
 create mode 100644 config/includes.chroot/etc/systemd/.keep
 create mode 100644 config/includes.chroot/etc/systemd/system/.keep
 create mode 100644 config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh
 create mode 100644 config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
 create mode 100644 config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh
 rename config/includes.chroot/usr/lib/live/boot/{0030-verify-checksums => 0030-ciss-verify-checksums} (55%)
 create mode 100644 config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest
 create mode 100644 docs/MAN_CISS_ISO_BOOT_CHAIN.md
 create mode 100644 lib/lib_ciss_signatures.sh
 rename scripts/usr/lib/live/boot/{0030-verify-checksums => 0030-ciss-verify-checksums} (83%)

diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh
deleted file mode 100644
index 8558fdf..0000000
--- a/.archive/.0000_lib_usage.sh
+++ /dev/null
@@ -1,142 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-#######################################
-# Usage Wrapper CISS.debian.live.builder
-# Globals:
-#   none
-# Arguments:
-#   $0: Script name
-#######################################
-usage() {
-  clear
-  cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
-
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
-
-"${0} <option>", where <option> is one or more of:
-
-$(echo -e "\e[97m  --help, -h\e[0m")
-    What you're looking at.
-
-$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
-    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
-
-$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
-    A string reflecting the architecture of the Live System.
-    MUST be provided.
-
-$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
-    Where the Debian Live Build Image should be generated.
-    MUST be provided.
-
-$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
-    A string reflecting the Grub Boot Screen Splash you want to use.
-    If omitted defaults to "./.archive/background/club.png".
-
-$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
-    This option generates a boot menu entry to start the forthcoming
-    'CISS.debian.installer', which will be executed after
-    the system has successfully booted up.
-
-$(echo -e "\e[97m  --contact, -c\e[0m")
-    Displays contact information of the author.
-
-$(echo -e "\e[97m  --control <INTEGER>\e[0m")
-    An integer that reflects the version of your Live ISO Image.
-    MUST be provided.
-
-$(echo -e "\e[97m  --debug\e[0m")
-    Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_$$.log"
-
-$(echo -e "\e[97m  --dhcp-centurion\e[0m")
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
-      - https://dns01.eddns.eu/
-      - https://dns02.eddns.de/
-      - https://dns03.eddns.eu/
-
-$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
-    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
-
-$(echo -e "\e[97m  --log-statistics-only\e[0m")
-    Provides statistic only after successful building a
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
-    the argument "--build-directory" MUST be provided while
-    all further options MUST be omitted.
-
-$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
-    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case and MUST be encapsulated
-    with [], e.g., [1234::abcd].
-
-$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
-    Reset the nice priority value of the script and all its children
-    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
-    Negative (higher) values MUST be enclosed in double quotes '"'.
-
-$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
-    Reset the ionice priority value of the script and all its children
-    to the desired <CLASS>. MUST be an integer:
-      1: realtime
-      2: best-effort
-      3: idle
-    Defaults to '2'.
-    Whereas <PRIORITY> MUST be an integer as well between:
-      0: highest priority and
-      7: lowest priority.
-    Defaults to '4'.
-    A real-time I/O process can significantly slow down other processes
-    or even cause them to starve if it continuously requests I/O.
-
-$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
-    and MUST NOT contain the special character '"'.
-    If the argument is omitted, no further login authentication is required for
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
-    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
-    further prompt after password hash has been successfully generated via:
-    'shred -vfzu 5 -f'.
-    No tracing of any plain text password fragment in any debug log.
-
-$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
-    The desired Port SSH should listen to.
-    If not provided defaults to Port 22.
-
-$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
-    specified PATH into the Live ISO. MUST be provided.
-
-$(echo -e "\e[97m  --version, -v\e[0m")
-    Displays version of ${0}.
-
-$(echo -e "\e[93m💡 Notes:\e[0m")
-🔵 You MUST be 'root' to run this script.
-
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
-
-EOF
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/.archive/0002_verify_checksums.chroot b/.archive/0002_verify_checksums.chroot
deleted file mode 100644
index 82369a7..0000000
--- a/.archive/0002_verify_checksums.chroot
+++ /dev/null
@@ -1,248 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-target="/usr/lib/live/boot/0030-verify-checksums"
-src="$(mktemp)"
-
-if [[ ! -d /usr/lib/live/boot ]]; then
-  mkdir -p /usr/lib/live/boot
-fi
-
-cat << 'EOF' >| "${src}"
-#!/bin/sh
-# bashsupport disable=BP5007
-# shellcheck shell=sh
-
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: GPL-3.0-or-later
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
-### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
-
-#######################################
-# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
-# Globals:
-#   LIVE_BOOT_CMDLINE
-#   _TTY
-# Arguments:
-#   1: _MOUNTPOINT
-# Returns:
-#   0 : Successful verification
-#######################################
-Verify_checksums() {
-  _MOUNTPOINT="${1}"
-
-  _TTY="/dev/tty8"
-
-  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
-
-  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
-
-  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
-
-    case "${_PARAMETER}" in
-
-      live-boot.verify-checksums=* | verify-checksums=*)
-
-        LIVE_VERIFY_CHECKSUMS="true"
-        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
-        ;;
-
-      live-boot.verify-checksums | verify-checksums)
-
-        LIVE_VERIFY_CHECKSUMS="true"
-        ;;
-
-      live-boot.verify-checksums-signatures | verify-checksums-signatures)
-
-        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
-        ;;
-
-    esac
-
-  done
-
-  case "${LIVE_VERIFY_CHECKSUMS}" in
-
-    true)
-      :
-      ;;
-
-    *)
-      return 0
-      ;;
-
-  esac
-
-  # shellcheck disable=SC2164
-  cd "${_MOUNTPOINT}"
-
-  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
-  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
-
-    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
-    printf "\n"
-
-    CDLB_SCRIPT="$(basename "${0}")"
-    CDLB_SHA="sha512"
-    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
-
-    for CDLB_ITEM in ${CDLB_SHA}; do
-
-      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
-      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
-      CDLB_CMD="${CDLB_ITEM}sum"
-
-      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
-
-      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
-
-        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
-        sleep 8
-        # TODO: Remove debug mode
-        # return 0
-
-      else
-
-        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
-
-      fi
-
-      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
-
-      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
-      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
-
-      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
-
-        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
-        sleep 8
-        # TODO: Remove debug mode
-        # return 0
-
-      fi
-
-      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
-
-    done
-
-    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
-
-    log_end_msg
-    printf "\n"
-
-  fi
-
-  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
-  log_begin_msg "Verifying checksums"
-  printf "\n"
-
-  # shellcheck disable=SC2001
-  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
-
-    # shellcheck disable=SC2060
-    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
-
-    for _CHECKSUM in ${_CHECKSUMS}; do
-
-      if [ -e "${_CHECKSUM}" ]; then
-
-        printf "Found [%s] ...\n" "${_CHECKSUM}"
-
-        if [ -e "/bin/${_DIGEST}sum" ]; then
-
-          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
-
-            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
-            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
-            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
-            _RETURN_PGP="${?}"
-
-          else
-
-            _RETURN_PGP="na"
-
-          fi
-
-          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
-
-          # shellcheck disable=SC2312
-          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
-          _RETURN_SHA="${?}"
-
-          # Stop after the first verification.
-          break 2
-
-        else
-
-          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
-
-        fi
-
-      fi
-
-    done
-
-  done
-
-  log_end_msg
-
-  case "${_RETURN_PGP},${_RETURN_SHA}" in
-
-    0,0)
-      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
-      sleep 8
-      return 0
-      ;;
-
-    na,0)
-      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
-      sleep 8
-      return 0
-      ;;
-
-    *,0)
-      panic "Verification of signature file failed while verification of checksum file successful."
-      ;;
-
-    na,*)
-      panic "Verification of checksum file failed."
-      ;;
-
-  esac
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-# Copy and make executable
-install -m 0755 "${src}" "${target}"
-
-rm -f "${src}"
-
-unset target src
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/.archive/0003_install_backports.chroot b/.archive/0003_install_backports.chroot
deleted file mode 100644
index eaecc94..0000000
--- a/.archive/0003_install_backports.chroot
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-DEBIAN_FRONTEND=noninteractive \
-  apt-get update && \
-    DEBIAN_FRONTEND=noninteractive \
-      apt-get install -y --no-install-recommends \
-        -o Dpkg::Options::="--force-confdef" \
-        -o Dpkg::Options::="--force-confold" \
-        -t bookworm-backports \
-        btrfs-progs \
-        curl \
-        debootstrap \
-        iproute2 \
-        ncat \
-        nmap \
-        ssh \
-        systemd \
-        systemd-sysv \
-        whois
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/.archive/0005_tmpfile_dublette.chroot b/.archive/0005_tmpfile_dublette.chroot
deleted file mode 100644
index bdab8e6..0000000
--- a/.archive/0005_tmpfile_dublette.chroot
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-# Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
-
-#######################################
-# Simple error terminal logger.
-# Arguments:
-#   None
-#######################################
-log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
-
-### Locate vendor 'legacy.conf' (The path can vary).
-declare vendor=""
-
-for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
-
-  if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
-
-done
-
-if [[ -z "${vendor}" ]]; then
-  log "WARN: vendor legacy.conf not found; creating a minimal override"
-  install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
-
-else
-
-  install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
-
-fi
-
-### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
-# shellcheck disable=SC2155
-declare tmpdir="$(mktemp -d)"
-declare out="${tmpdir}/legacy.conf"
-
-awk '
-BEGIN{seen=0}
-{
-  # Preserve everything by default
-  keep=1
-  # Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
-  if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
-    if (seen==1) { keep=0 } else { seen=1 }
-  }
-  if (keep) print
-}' /etc/tmpfiles.d/legacy.conf >| "${out}"
-
-### Install the sanitized file atomically.
-install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
-rm -rf -- "${tmpdir}"
-
-log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
-
-command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/.archive/9998_sources_list_bookworm.chroot b/.archive/9998_sources_list_bookworm.chroot
deleted file mode 100644
index 27d277b..0000000
--- a/.archive/9998_sources_list_bookworm.chroot
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-# shellcheck disable=SC2155
-declare -r VAR_DATE="$(date +%F)"
-
-cd /root
-
-if [[ -f /etc/apt/sources.list ]]; then
-  mv /etc/apt/sources.list /root/.ciss/cdlb/backup/sources.list.bak
-fi
-
-cat << 'EOF' >| /etc/apt/sources.list
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-#-----------------------------------------------------------------------------------------#
-#                                  OFFICIAL DEBIAN REPOS
-#-----------------------------------------------------------------------------------------#
-
-### Debian Main Repos Bookworm
-
-deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-
-deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml
index ffa428d..9f5d631 100644
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml
index 95ee696..c7e7060 100644
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml
index 185d24c..90a7aed 100644
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 💙 Generating a PUBLIC Live ISO.
 
diff --git a/.archive/lib_lb_config_write.sh b/.archive/lib_lb_config_write.sh
deleted file mode 100644
index 9f72348..0000000
--- a/.archive/lib_lb_config_write.sh
+++ /dev/null
@@ -1,115 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing || return "${ERR_GUARD_SRCE}"
-
-#######################################
-# Wrapper to write a new 'lb config' environment.
-# Globals:
-#   VAR_ARCHITECTURE
-#   VAR_HANDLER_BUILD_DIR
-#   VAR_HANDLER_ISO_COUNTER
-#   VAR_KERNEL
-#   VAR_VERSION
-#   VAR_WORKDIR
-# Arguments:
-#  None
-#######################################
-lb_config_write() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
-
-  lb config \
-    --apt apt \
-    --apt-indices true \
-    --apt-recommends true \
-    --apt-secure true \
-    --apt-source-archives true \
-    --architecture "${VAR_ARCHITECTURE}" \
-    --archive-areas main contrib non-free non-free-firmware \
-    --backports true \
-    --binary-filesystem fat32 \
-    --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
-    --bootloaders grub-efi \
-    --cache true \
-    --checksums sha512 sha256 md5 \
-    --chroot-filesystem squashfs \
-    --chroot-squashfs-compression-level 22 \
-    --chroot-squashfs-compression-type zstd \
-    --color \
-    --compression bzip2 \
-    --debconf-frontend noninteractive \
-    --debconf-priority critical \
-    --debian-installer cdrom \
-    --debian-installer-distribution bookworm \
-    --debian-installer-gui true \
-    --debian-installer-preseedfile "preseed.cfg" \
-    --debug \
-    --distribution bookworm \
-    --distribution-binary bookworm \
-    --distribution-chroot bookworm \
-    --firmware-binary true \
-    --firmware-chroot true \
-    --hdd-label "CENTURIONLIVE" \
-    --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
-    --initramfs "live-boot" \
-    --initramfs-compression gzip \
-    --initsystem systemd \
-    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
-    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
-    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
-    --iso-volume 'CISS.debian.live' \
-    --linux-flavours "${VAR_KERNEL}" \
-    --linux-packages linux-image \
-    --loadlin true \
-    --memtest memtest86+ \
-    --mirror-binary 'https://deb/debian.org/debian/' \
-    --mirror-binary-security 'https://security.debian.org/' \
-    --mirror-bootstrap 'https://deb.debian.org/debian/' \
-    --mirror-chroot 'https://deb.debian.org/debian/' \
-    --mirror-chroot-security 'https://security.debian.org/' \
-    --mirror-debian-installer 'https://deb.debian.org/debian/' \
-    --mode debian \
-    --parent-archive-areas main contrib non-free non-free-firmware \
-    --parent-debian-installer-distribution bookworm \
-    --parent-distribution bookworm \
-    --parent-distribution-binary bookworm \
-    --parent-distribution-chroot bookworm \
-    --parent-mirror-binary 'https://deb.debian.org/debian/' \
-    --parent-mirror-binary-security 'https://security.debian.org/' \
-    --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
-    --parent-mirror-chroot 'https://deb.debian.org/debian/' \
-    --parent-mirror-chroot-security 'https://security.debian.org/' \
-    --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
-    --security true \
-    --system live \
-    --source false \
-    --source-images tar \
-    --uefi-secure-boot auto \
-    --updates true \
-    --utc-time true \
-    --verbose
-
-  sleep 1
-
-  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
-  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
-
-  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
-  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
-  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
-  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
-
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index e95d016..b5a5249 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.404.2025.11.10"
+      placeholder: "e.g., Master V8.13.408.2025.11.13"
     validations:
       required: true
 
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index d353f04..6b9cf00 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 FROM debian:bookworm
 
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index 0a238e0..afc48a9 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 🔁 Render README.md to README.html.
 
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 41179f0..b648e32 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.404.2025.11.10
+  version: V8.13.408.2025.11.13
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index f95f772..106bea9 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 171e648..95bd361 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index c11624a..5c7c089 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 💙 Generating a PUBLIC Live ISO.
 
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index eea5073..b57e702 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 # Gitea Workflow: Shell-Script Linting
 #
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index 266fc13..990835f 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index 90840c0..76c30d9 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 name: 🔁 Render Graphviz Diagrams.
 
diff --git a/.version.properties b/.version.properties
index 9aa19db..eace32a 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.404.2025.11.10"
+properties_version="V8.13.408.2025.11.13"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index 0c076f5..5f7a2d3 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.404.2025.11.10
+PackageVersion: Master V8.13.408.2025.11.13
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index 67c42d1..53d6b75 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.404.2025.11.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.408.2025.11.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.404.2025.11.10`
+Example: `V8.13.408.2025.11.13`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
diff --git a/REPOSITORY.md b/REPOSITORY.md
index 4f6afab..a358325 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2.1. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.404.2025.11.10** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.408.2025.11.13** (as of 2025-10-11)
 
 ## 2.2. Top-Level Layout
 
diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh
index 10a8492..09c6d76 100644
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -139,6 +139,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
   source_guard "./lib/lib_check_secrets.sh"
   source_guard "./lib/lib_check_stats.sh"
   source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_ciss_signatures.sh"
   source_guard "./lib/lib_ciss_upgrades_boot.sh"
   source_guard "./lib/lib_ciss_upgrades_build.sh"
   source_guard "./lib/lib_clean_screen.sh"
@@ -235,7 +236,8 @@ init_gnupg
 ### Integrate primordial SSH identity files.
 init_primordial
 
-### Integrate CISS.debian.live.builder repository into the build dir.
+### Integrate the CISS.debian.live.builder repository into the build directory.
+### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
 
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
@@ -244,6 +246,7 @@ cdi
 ### Final CISS.debian.live.builder integrations.
 change_splash
 check_dhcp
+ciss_signatures
 ciss_upgrades_boot
 hardening_root_pw
 note_target
diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot
index 165739f..c73d32b 100644
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -58,6 +58,7 @@ readonly -f grep_nic_driver_modules
 
 # shellcheck disable=SC2155
 declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
+
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
diff --git a/config/hooks/live/0002_hardening_overlay_tmpfs.chroot b/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
new file mode 100644
index 0000000..efac319
--- /dev/null
+++ b/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
@@ -0,0 +1,63 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+VAR_DATE="$(date +%F)"
+
+cat << EOF >| /etc/systemd/system/ciss-remount-root.service
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Unit]
+Description=Remount overlay root with nosuid,nodev
+DefaultDependencies=no
+After=local-fs.target
+Before=basic.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev /
+
+[Install]
+WantedBy=sysinit.target
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+mkdir -p /etc/systemd/system/tmp.mount.d
+cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
+[Mount]
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+EOF
+
+mkdir -p /etc/systemd/system/dev-shm.mount.d
+cat << EOF >| /etc/systemd/system/dev-shm.mount.d/override.conf
+[Mount]
+Options=mode=1777,nosuid,nodev,noexec,size=25%
+EOF
+
+systemctl enable ciss-remount-root.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/0021_dropbear_initramfs.chroot b/config/hooks/live/0021_dropbear_initramfs.chroot
index dbed944..ab6ffd7 100644
--- a/config/hooks/live/0021_dropbear_initramfs.chroot
+++ b/config/hooks/live/0021_dropbear_initramfs.chroot
@@ -19,21 +19,22 @@ declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 
-apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
+apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
 apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
 
-mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
+mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
+mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
 install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
 rm -f /root/dropbear.file
 
-mv /usr/sbin/dropbear /usr/sbin/dropbear.trixie
+mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
 install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
 
 for var_file in dbclient dropbearconvert dropbearkey; do
 
-  mv "/usr/bin/${var_file}" "/usr/bin/${var_file}.trixie"
+  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
   install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
 
 done
diff --git a/config/hooks/live/0100_ciss_mem_wipe.chroot b/config/hooks/live/0100_ciss_mem_wipe.chroot
new file mode 100644
index 0000000..e890499
--- /dev/null
+++ b/config/hooks/live/0100_ciss_mem_wipe.chroot
@@ -0,0 +1,209 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+apt-get install -y --no-install-recommends kexec-tools busybox-static
+
+install -d -m 0755 /boot/ciss-memwipe
+install -d -m 0755 /usr/local/sbin
+install -d -m 0755 /etc/systemd/system
+install -d -m 0755 /etc/default
+
+### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
+# shellcheck disable=SC2012,SC2155
+declare _kernel="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
+cp -f "/boot/vmlinuz-${_kernel}" /boot/ciss-memwipe/vmlinuz
+
+### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
+declare TMPDIR; TMPDIR="$(mktemp -d)"
+trap 'rm -rf "${TMPDIR}"' EXIT
+
+mkdir -p "${TMPDIR}"/{bin,dev,proc,sys,wipe}
+cp -f /bin/busybox.static "${TMPDIR}/bin/busybox"
+
+cat << 'EOF' >| "${TMPDIR}/init"
+#!/bin/busybox sh
+### Minimal init to wipe RAM, then power off.
+### Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
+set -eu
+
+get_arg() { # $1=key ; echoes value or empty
+
+  for tok in $(cat /proc/cmdline); do
+
+    case "${tok}" in
+      $1=*) echo "${tok#*=}"; return 0;;
+    esac
+
+  done
+
+  echo ""
+}
+
+mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
+[ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
+[ -e /dev/null ]    || mknod -m 666 /dev/null c 1 3
+[ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
+
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+
+PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
+MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
+BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
+PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
+
+echo 1 > /proc/sys/kernel/printk 2>/dev/null || true
+
+MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
+SIZE_KB=$(( MEM_KB * PCT / 100 ))
+mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
+
+wipe_pass() {
+  pattern="$1"
+  if [ "${pattern}" = "zero" ]; then
+    src="/dev/zero"
+  else
+    src="/dev/urandom"
+  fi
+
+  i=0
+  while :; do
+    busybox dd if="${src}" of="/wipe/block_${i}" bs="${BS}" status=none || break
+    i=$((i+1))
+  done
+  sync
+  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /wipe/block_* 2>/dev/null || true
+  sync
+}
+
+DO_ZERO=0; DO_RANDOM=0
+case "${MODE}" in
+  zero) DO_ZERO=1 ;;
+  random) DO_RANDOM=1 ;;
+  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
+  *) DO_ZERO=1 ;;
+esac
+
+p=1
+while [ ${p} -le "${PASSES}" ]; do
+  [ ${DO_ZERO} -eq 1 ] && wipe_pass zero
+  [ ${DO_RANDOM} -eq 1 ] && wipe_pass random
+  p=$((p+1))
+done
+
+sync
+busybox poweroff -f || echo o >| /proc/sysrq-trigger
+EOF
+
+chmod +x "${TMPDIR}/init"
+
+( cd "${TMPDIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
+
+cat << 'EOF' >| /etc/default/ciss-memwipe
+### CISS Memory Wipe defaults
+CISS_WIPE_PASSES=2           # number of passes
+CISS_WIPE_MODE="zero+random" # zero | random | zero+random
+CISS_WIPE_DD_BS="64M"        # dd block size
+CISS_WIPE_TMPFS_PCT=95       # percentage of MemTotal to allocate
+EOF
+
+cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
+#!/bin/bash
+# Prepare and execute kexec-based memory wipe.
+set -euo pipefail
+
+. /etc/default/ciss-memwipe || true
+
+KERNEL="/boot/ciss-memwipe/vmlinuz"
+INITRD="/boot/ciss-memwipe/initrd.img"
+
+append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
+
+prepare() {
+  # Try to allow kexec if not locked down
+  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
+    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
+  fi
+  # Load wipe kernel
+  if command -v kexec >/dev/null 2>&1 && [ -s "${KERNEL}" ] && [ -s "${INITRD}" ]; then
+    kexec -l "${KERNEL}" --initrd="${INITRD}" --append="${append_common}" || true
+  fi
+}
+
+fallback_inplace() {
+  # Last-resort: wipe in-place via tmpfs and then power off
+  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
+  i=0
+  while :; do
+    dd if=/dev/zero of="/run/wipe/blk_${i}" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
+    i=$((i+1))
+  done
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /run/wipe/blk_* 2>/dev/null || true
+  sync
+  systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
+}
+
+execute() {
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  # Prefer systemd's path if possible
+  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
+    # If kexec image was loaded, systemctl kexec will use it
+    systemctl kexec || kexec -e || fallback_inplace
+  else
+    kexec -e || fallback_inplace
+  fi
+}
+
+case "${1:-}" in
+  prepare) prepare ;;
+  execute) execute ;;
+  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
+esac
+EOF
+chmod 0755 /usr/local/sbin/ciss-memwipe
+
+### Systemd service: load at boot, execute on shutdown
+cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
+[Unit]
+Description=CISS: preload and execute kexec-based RAM wipe on shutdown
+DefaultDependencies=no
+# Ensure we run late enough on shutdown, but early enough to take over
+Before=shutdown.target
+After=local-fs.target network.target multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ciss-memwipe prepare
+# ExecStop runs during shutdown: jump into wipe kernel
+ExecStop=/usr/local/sbin/ciss-memwipe execute
+TimeoutStartSec=20s
+TimeoutStopSec=infinity
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl enable ciss-memwipe.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/9999_zzzz.chroot b/config/hooks/live/9999_zzzz.chroot
index 6cc8ca4..0f54de0 100644
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -18,9 +18,14 @@ declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
 ### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
 rm -f  /root/ciss_xdg_tmp.sh
 rm -fr /root/build
+find / -xdev \( -path /proc -o -path /sys -o -path /dev -o -path /run \) -prune -o -type f -name '.keep' -exec rm -f -- {} +
+
+### Securing '/.ciss' ----------------------------------------------------------------------------------------------------------
+find /.ciss -type d -exec chmod 0700 {} +
+find /.ciss -type f -exec chmod 0440 {} +
 
 ### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
-find /etc/ciss/keys -type f -exec chmod 0444 {} +
+find /etc/ciss/keys -type f -exec chmod 0440 {} +
 
 ### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
 update-initramfs -u -k all -v
diff --git a/config/hooks/live/zzzz_luks_squash.hook.binary b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
similarity index 98%
rename from config/hooks/live/zzzz_luks_squash.hook.binary
rename to config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
index 6e9801f..7e57627 100644
--- a/config/hooks/live/zzzz_luks_squash.hook.binary
+++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
@@ -60,7 +60,7 @@ readonly -f preallocate
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
 declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
-declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/rootfs.crypt"
+declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
 declare KEYFD=""
 
 # shellcheck disable=SC2155
diff --git a/config/includes.chroot/.ciss/.keep b/config/includes.chroot/.ciss/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/config/includes.chroot/.ciss/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/config/includes.chroot/.ciss/attestation/.keep b/config/includes.chroot/.ciss/attestation/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/config/includes.chroot/.ciss/attestation/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/config/includes.chroot/etc/ciss/.keep b/config/includes.chroot/etc/ciss/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/config/includes.chroot/etc/ciss/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/config/includes.chroot/etc/initramfs-tools/.keep b/config/includes.chroot/etc/initramfs-tools/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/config/includes.chroot/etc/initramfs-tools/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
index fc38d88..1663b20 100644
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -1,22 +1,27 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
+# shellcheck disable=SC2034
 
 set -Ceu -o pipefail -o ignoreeof
 shopt -s failglob
 shopt -s lastpipe
 shopt -u nullglob
 umask 0077
-export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
+declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
+
+### Will be replaced at build time:
+declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
+declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
 
 #######################################
 # Variable declaration
@@ -383,7 +388,7 @@ verify_script() {
 
     color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
 
-    if ! gpgv --keyring /etc/ciss/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
+    if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
 
       color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
       color_echo "${RED}" "✘ System Power Off in 3 seconds."
diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
index 6d9d4f7..511ec61 100644
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
@@ -1,13 +1,13 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
 
diff --git a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
index deea012..9072ce9 100644
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
@@ -3,7 +3,7 @@
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
diff --git a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
index fe43450..6d5dea9 100644
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
@@ -3,7 +3,7 @@
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -47,8 +47,13 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid]
 
 
 ### Include 'busybox' ----------------------------------------------------------------------------------------------------------
-copy_exec /usr/bin/busybox /usr/busybox
-printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
+copy_exec /usr/bin/busybox /usr/bin/busybox
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/bin/busybox] \n\e[0m"
+
+
+### Include 'dmsetup' ----------------------------------------------------------------------------------------------------------
+copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup
+printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup] \n\e[0m"
 
 
 ### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
diff --git a/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh b/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
index b430fb1..afa4030 100644
--- a/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
@@ -3,7 +3,7 @@
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
diff --git a/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh b/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
index 229794f..0a825d7 100644
--- a/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
+++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
@@ -3,7 +3,7 @@
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index 2fdad1b..4375467 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index bbfc098..7aa7dd6 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened
index 50b98fd..39dbf97 100644
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.404.2025.11.10
+# Version Master V8.13.408.2025.11.13
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -184,13 +184,13 @@ vm.mmap_rnd_compat_bits=16
 # settings.
 ###########################################################################################
 fs.suid_dumpable=0
-kernel.core_pattern= | /bin/false
+kernel.core_pattern=|/bin/false
 
 ### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
 #user.max_user_namespaces=0
 
 ###########################################################################################
-# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
+# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (From v6.2)
 # If you want to set oops_limit greater than one, you will need to disable
 # CONFIG_PANIC_ON_OOPS.
 ###########################################################################################
diff --git a/config/includes.chroot/etc/systemd/.keep b/config/includes.chroot/etc/systemd/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/config/includes.chroot/etc/systemd/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/config/includes.chroot/etc/systemd/system/.keep b/config/includes.chroot/etc/systemd/system/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/config/includes.chroot/etc/systemd/system/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index 74bf2a7..eafa00e 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.404.2025.11.10"
+declare -gr VERSION="Master V8.13.408.2025.11.13"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index 55288fe..18fbadb 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.404.2025.11.10 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.408.2025.11.13 at: 10:18:37.9542
diff --git a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh
new file mode 100644
index 0000000..ff50472
--- /dev/null
+++ b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+# Phase  : premount (executed by live-boot inside the initramfs).
+
+set -eu
+
+### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
+PHASE="${1:-}"
+
+case "${PHASE}" in
+
+  premount)
+    ;;      ### Continue.
+  *)
+    exit 0  ### Do nothing in other phases.
+    ;;
+
+esac
+
+printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m"
+
+### Declare variables ----------------------------------------------------------------------------------------------------------
+OVERLAY_BASE="/run/live/overlay"
+UPPER="${OVERLAY_BASE}/upper"
+WORK="${OVERLAY_BASE}/work"
+
+### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile.
+: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"
+
+### Create a base dir with restrictive perms.
+# shellcheck disable=SC2174
+mkdir -p -m 0700 "${OVERLAY_BASE}"
+
+### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path.
+mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"
+
+# Prepare upper/work with tight perms.
+# shellcheck disable=SC2174
+mkdir -p -m 0700 "${UPPER}" "${WORK}"
+
+printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
+
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
new file mode 100644
index 0000000..f0bf695
--- /dev/null
+++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
@@ -0,0 +1,170 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Purpose: Open /live/ciss_rootfs.crypt (LUKS) and present its SquashFS as /run/live/rootfs
+# Phase  : premount (executed by live-boot inside the initramfs)
+
+set -eu
+
+### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
+PHASE="${1:-}"
+
+case "${PHASE}" in
+
+  premount)
+    ;;      ### Continue.
+  *)
+    exit 0  ### Do nothing in other phases.
+    ;;
+
+esac
+
+printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0024-ciss-crypt-squash] ... \n\e[0m"
+
+#######################################
+# Premount logging helper.
+# Globals:
+#   None
+# Arguments:
+#   *: String to log.
+#######################################
+log() {
+  msg="$*"
+  if [ -w /dev/kmsg ]; then
+    printf '<6>%s: %s\n' '0024-ciss-crypt-squash' "${msg}" > /dev/kmsg
+  else
+    printf '%s: %s\n' '0024-ciss-crypt-squash' "${msg}"
+  fi
+}
+
+### Declare variables ----------------------------------------------------------------------------------------------------------
+CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
+CDLB_ISO_LABEL="CISS.debian.live"
+MNT_MEDIUM="/run/live/medium"
+MNT_ROOTFS="/run/live/rootfs"
+_PARAMETER=""
+_dev=""
+
+for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
+
+  case "${_PARAMETER}" in
+
+    ciss_crypt_path=*) CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";;
+    ciss_iso_label=* ) CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";;
+
+  esac
+
+done
+
+mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
+
+### Mount the live medium (ISO) read-only, unless already mounted --------------------------------------------------------------
+if ! mountpoint -q "${MNT_MEDIUM}"; then
+
+  if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
+
+    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
+      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
+      || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
+
+  fi
+
+fi
+
+if ! mountpoint -q "${MNT_MEDIUM}"; then
+
+  ### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
+  for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
+
+    ### Skip non-block entries early.
+    [ -b "${_dev}" ] || continue
+
+    ### Try ISO9660 first, then UDF; only unmount on failure
+    if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null \
+      || mount -r -t udf   "${_dev}" "${MNT_MEDIUM}" 2>/dev/null
+    then
+
+      mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
+
+    else
+
+      umount "${MNT_MEDIUM}" 2>/dev/null || true
+
+    fi
+
+  done
+
+fi
+
+if ! mountpoint -q "${MNT_MEDIUM}"; then
+
+  log "no live medium mounted – defer to default live-boot path"
+  exit 0
+
+fi
+
+### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
+if [ ! -f "${MNT_MEDIUM}/${CDLB_LUKS_FS}" ]; then
+
+  log "encrypted root not found at ${MNT_MEDIUM}/${CDLB_LUKS_FS}"
+  exit 0
+
+fi
+
+### Create/read FIFO compatible with cryptsetup-initramfs (if present). This allows 'cryptroot-unlock' to feed the passphrase
+### over SSH (dropbear).
+mkdir -p /lib/cryptsetup
+[ -p /lib/cryptsetup/passfifo ] || mkfifo /lib/cryptsetup/passfifo
+
+### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
+LOOP="$(losetup -f --show -r "${MNT_MEDIUM}/${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
+
+### Try to open the LUKS container, first via FIFO (SSH unlock), then interactively. -------------------------------------------
+attempts=0
+while true; do
+
+  attempts=$((attempts+1))
+  echo "Unlock '${CDLB_LUKS_FS}' (try ${attempts}): use 'cryptroot-unlock' over SSH or enter on console" >/dev/console 2>/dev/null || true
+
+  ## Non-blocking read from FIFO (Dropbear and cryptroot-unlock path).
+  if timeout 5 cat /lib/cryptsetup/passfifo | cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso --key-file - 2>/dev/null; then
+
+    break
+
+  fi
+
+  ### Interactive fallback on the console.
+  if cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso; then
+
+    break
+
+  fi
+
+done
+
+### Mount the decrypted payload as SquashFS under '/run/live/rootfs'. ----------------------------------------------------------
+mount -r -t squashfs /dev/mapper/crypt_liveiso "${MNT_ROOTFS}" || { log "mount squashfs failed"; exit 1; }
+
+### Ensure live-boot keeps using our medium (bind-mount for consistency). ------------------------------------------------------
+mount --bind "${MNT_MEDIUM}" "${MNT_MEDIUM}" 2>/dev/null || true
+
+log "encrypted squashfs is mounted at ${MNT_ROOTFS} (device=/dev/mapper/crypt_liveiso)"
+
+printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
+
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh
new file mode 100644
index 0000000..1d115c6
--- /dev/null
+++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Purpose: Enforce early sysctls before services start.
+# Phase  : premount (executed by live-boot inside the initramfs).
+
+set -eu
+
+### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
+PHASE="${1:-}"
+
+case "${PHASE}" in
+
+  premount)
+    ;;      ### Continue.
+  *)
+    exit 0  ### Do nothing in other phases.
+    ;;
+
+esac
+
+printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m"
+
+echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
+echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
+echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
+echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
+echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
+echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
+
+printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
+
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
similarity index 55%
rename from config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
rename to config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
index 2714a56..babc671 100644
--- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
@@ -4,7 +4,7 @@
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -15,11 +15,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
+### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 
 #######################################
-# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
+# Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   _TTY
@@ -29,9 +29,43 @@
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
-  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
+  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
 
   ### Declare variables --------------------------------------------------------------------------------------------------------
+
+  ### Will be replaced at build time:
+  export CDLB_EXP_FPR="@EXP_FPR@"
+  export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
+
+  ### Declare functions --------------------------------------------------------------------------------------------------------
+
+  #######################################
+  # Helper for colored text output on stdout.
+  # Globals:
+  #   None
+  # Arguments:
+  #   *: String to print
+  #######################################
+  log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
+
+  #######################################
+  # Helper for colored text output on stdout.
+  # Globals:
+  #   None
+  # Arguments:
+  #   *: String to print
+  #######################################
+  log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
+
+  #######################################
+  # Helper for colored text output on stdout.
+  # Globals:
+  #   None
+  # Arguments:
+  #   *: String to print
+  #######################################
+  log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
+
   _MOUNTPOINT="${1}"
 
   _PARAMETER=""
@@ -71,19 +105,6 @@ Verify_checksums() {
 
   done
 
-  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
-  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
-
-    if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
-
-      _KEYFILE="${_MP}/0030-verify-checksums.gpg"
-
-      break
-
-    fi
-
-  done
-
   ### Check if the function should be skipped ----------------------------------------------------------------------------------
   case "${LIVE_VERIFY_CHECKSUMS}" in
 
@@ -97,13 +118,33 @@ Verify_checksums() {
 
   esac
 
+  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
+  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
+
+    if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
+
+      _KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
+
+      if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then
+
+        _CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
+
+      fi
+
+      break
+
+    fi
+
+  done
+
   # shellcheck disable=SC2164
   cd "${_MOUNTPOINT}"
 
+
   ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
   if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
 
-    log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
+    log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
     printf "\n"
 
     _CAND=""
@@ -112,7 +153,7 @@ Verify_checksums() {
     CDLB_CMD="/usr/bin/sha512sum"
     CDLB_SHA="sha512"
 
-    for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
+    for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums; do
 
       [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
 
@@ -124,38 +165,54 @@ Verify_checksums() {
     CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
     CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
 
+    _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
 
-    printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
+    _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
 
-    printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
+    ### Compare against pinned and expected fingerprint.
+    if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
 
-    if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
-
-      printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
-      sleep 16
-      panic        "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
+      log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
 
     else
 
-      printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"
+      log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
+      sleep 8
+      panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
 
     fi
 
-    printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"
+    ### Script self-integrity and authenticity checks --------------------------------------------------------------------------
+    ### Assumption: initramfs itself is not altered.
+    log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..."
+
+    if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
+
+      log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed."
+      sleep 8
+      panic  "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
+
+    else
+
+      log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful."
+
+    fi
+
+    log_in "Recomputing hash for: [${CDLB_SHA}] ..."
 
     CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
     IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
 
     if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
 
-      printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
-      sleep 16
-      panic        "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
+      log_er "Recomputing hash for: [${CDLB_SHA}] failed."
+      sleep 8
+      panic  "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
 
     fi
 
-    printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
-    printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+    log_ok "Recomputing hash for: [${CDLB_SHA}] successful."
+    log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed."
     log_end_msg
     printf "\n"
 
@@ -164,7 +221,7 @@ Verify_checksums() {
   ### Checksum and checksum signature verification -----------------------------------------------------------------------------
   log_begin_msg "Verifying checksums"
   printf "\n"
-  printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"
+  log_in "Verifying checksums ..."
 
   # shellcheck disable=SC2001
   for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -176,27 +233,27 @@ Verify_checksums() {
 
       if [ -e "${_CHECKSUM}" ]; then
 
-        printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
+        log_in "Found: [${_CHECKSUM}] ..."
 
         if [ -e "/usr/bin/${_DIGEST}sum" ]; then
 
-          printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
+          log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
 
           if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
 
-            printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}"
+            log_in "Checking signature of: [${_CHECKSUM}] ..."
 
             _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
 
             if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
 
               _RETURN_PGP="${?}"
-              printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}"
+              log_in "Checking signature of: [${_CHECKSUM}] successful."
 
             else
 
               _RETURN_PGP="${?}"
-              printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}"
+              log_er "Checking signature of: [${_CHECKSUM}] failed."
 
             fi
 
@@ -210,12 +267,12 @@ Verify_checksums() {
           if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
 
             _RETURN_SHA="${?}"
-            printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
+            log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
 
           else
 
             _RETURN_SHA="${?}"
-            printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
+            log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
 
           fi
 
@@ -225,7 +282,7 @@ Verify_checksums() {
         else
 
           _RETURN_SHA="255"
-          printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"
+          log_er "NOT Found [/usr/bin/${_DIGEST}sum]."
 
         fi
 
@@ -241,40 +298,35 @@ Verify_checksums() {
   case "${_RETURN_PGP},${_RETURN_SHA}" in
 
     "0,0")
-      printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
-      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
-      sleep 8
+      log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
       log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
+      sleep 8
       return 0
       ;;
 
     "na,0")
-      printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
-      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
-      sleep 8
+      log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
       log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
+      sleep 8
       return 0
       ;;
 
     "0,"*)
-      printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
-      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
       sleep 8
-      panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
+      panic  "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
       ;;
 
     *",0")
-      printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
-      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
       sleep 8
-      panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
+      panic  "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
       ;;
 
     "na,"*)
-      printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
-      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      log_er "Verification of [sha checksum] file failed."
       sleep 8
-      panic "Verification of checksum file failed."
+      panic  "Verification of [sha checksum] file failed."
       ;;
 
   esac
diff --git a/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest b/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest
new file mode 100644
index 0000000..c13e930
--- /dev/null
+++ b/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest
@@ -0,0 +1,194 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Purpose: Late rootfs attestation and dmsetup health checking.
+# Phase  : bottom (executed by live-boot inside the initramfs).
+
+set -eu
+
+### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
+PHASE="${1:-}"
+
+case "${PHASE}" in
+
+  bottom)
+    ;;      ### Continue.
+  *)
+    exit 0  ### Do nothing in other phases.
+    ;;
+
+esac
+
+printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] ... \n\e[0m"
+
+### Declare variables ----------------------------------------------------------------------------------------------------------
+
+### Will be replaced at build time:
+export CDLB_EXP_FPR="@EXP_FPR@"
+export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
+
+### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
+CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-ciss_rootfs.crypt}"
+
+### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
+CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
+CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
+CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
+
+### Declare functions ----------------------------------------------------------------------------------------------------------
+
+#######################################
+# Helper for colored text output on stdout.
+# Globals:
+#   None
+# Arguments:
+#   *: String to print
+#######################################
+log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
+
+#######################################
+# Helper for colored text output on stdout.
+# Globals:
+#   None
+# Arguments:
+#   *: String to print
+#######################################
+log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
+
+#######################################
+# Helper for colored text output on stdout.
+# Globals:
+#   None
+# Arguments:
+#   *: String to print
+#######################################
+log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
+
+### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
+_mp=""
+ROOTMP=""
+
+for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
+
+  if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
+
+done
+
+if [ -z "${ROOTMP}" ]; then
+  log_er "No decrypted rootfs mount found."
+  sleep 8
+  # TODO: Remove debug mode
+  # panic "[FATAL] No decrypted rootfs mount found."
+fi
+
+log_ok "Decrypted rootfs at: [${ROOTMP}]"
+
+HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}"
+SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}"
+KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
+
+[ -n "${KEYFILE}" ]   || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
+[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; }
+[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
+
+log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
+_STATUS="$(${GPGV} --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
+_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
+
+### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
+if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
+
+  log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
+
+else
+
+  log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
+  sleep 8
+  # TODO: Remove debug mode
+  # panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
+
+fi
+
+### 'dmsetup' health check -----------------------------------------------------------------------------------------------------
+MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
+if [ -e "${MAP_DEV}" ]; then
+
+  log_in "Checking dmsetup table for ${MAP_DEV}"
+
+  TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
+  if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
+
+    log_ok "Top layer is 'crypt'."
+
+  else
+
+    log_er "Top layer is NOT 'crypt'."
+    sleep 8
+    # TODO: Remove debug mode
+    # panic "[FATAL] Top layer is NOT 'crypt'."
+
+  fi
+
+  if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
+
+    log_ok "Cipher looks like AES-XTS."
+
+  else
+
+    log_er "Cipher does not look like AES-XTS."
+    sleep 8
+    # TODO: Remove debug mode
+    # panic "[FATAL] Cipher does not look like AES-XTS."
+
+  fi
+
+### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
+CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
+CHILD_NAME="${CHILD_TOK}"
+
+case "${CHILD_TOK}" in
+
+  *:* )
+    if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
+      CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
+      [ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
+    fi
+    ;;
+
+  /dev/* )
+    CHILD_NAME="$(basename -- "${CHILD_TOK}")"
+    ;;
+
+esac
+
+#### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
+log_in "Checking underlying integrity target: ${CHILD_NAME}"
+
+CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
+printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; }
+printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac'       || { log_er "Integrity target not using keyed MAC (hmac)"; }
+printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512'     || { log_er "Integrity algo not sha512"; }
+printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b'   || { log_er "Expected 4096-byte sector size not found"; }
+
+log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
+
+fi
+
+printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest]\n\e[0m"
+
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 71a4dcf..8c3d257 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. DNSSEC Status
 
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index a2077a1..c984a8c 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 6ff24b6..d303a10 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Lynis Audit:
 
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index 90e6e80..8f724be 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. SSH Audit by ssh-audit.com
 
@@ -18,18 +18,22 @@ include_toc: true
 
 ````text
 # general
-(gen) banner: SSH-2.0-OpenSSH_9.2p1
-(gen) software: OpenSSH 9.2p1
+(gen) banner: SSH-2.0-OpenSSH_10.0p2
+(gen) software: OpenSSH 10.0p2
 (gen) compatibility: OpenSSH 9.9+, Dropbear SSH 2020.79+
 (gen) compression: disabled
 
 # key exchange algorithms
+(kex) mlkem768x25519-sha256               -- [info] available since OpenSSH 9.9
+                                          `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
 (kex) sntrup761x25519-sha512@openssh.com  -- [info] available since OpenSSH 8.5
                                           `- [info] default key exchange from OpenSSH 9.0 to 9.8
                                           `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
 (kex) sntrup761x25519-sha512              -- [info] available since OpenSSH 9.9
                                           `- [info] default key exchange since OpenSSH 9.9
                                           `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
+(kex) ext-info-s                          -- [info] available since OpenSSH 9.6
+                                          `- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
 (kex) kex-strict-s-v00@openssh.com        -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
 
 # host-key algorithms
@@ -39,16 +43,10 @@ include_toc: true
 
 # encryption algorithms (ciphers)
 (enc) aes256-gcm@openssh.com              -- [info] available since OpenSSH 6.2
-(enc) aes256-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
 
 # message authentication code algorithms
 (mac) hmac-sha2-512-etm@openssh.com       -- [info] available since OpenSSH 6.2
 (mac) hmac-sha2-256-etm@openssh.com       -- [info] available since OpenSSH 6.2
-
-# algorithm recommendations (for OpenSSH 9.2)
-(rec) +aes128-ctr                         -- enc algorithm to append
-(rec) +aes128-gcm@openssh.com             -- enc algorithm to append
-(rec) +aes192-ctr                         -- enc algorithm to append
 ````
 
 ---
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index b990b2f..b355725 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. TLS Audit:
 ````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index b91d234..9b2996a 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Hardened Kernel Boot Parameters
 
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 9fefbfc..15410e1 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,33 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Changelog
 
+## V8.13.408.2025.11.13
+* **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
+* **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
+* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
+* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh) + Enforce early sysctls before services start.
+* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
+* **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
+* **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
+* **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.
+* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + securing ``/.ciss``, removing ``.keep``.
+* **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh) + integrated dynamic GPG FPR injection.
+* **Changed**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh) + ``dmsetup``.
+* **Changed**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) + integrated dynamic GPG FPR injection.
+* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) + ``--signing_ca=*``.
+* **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling.
+* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
+* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys.
+* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``.
+* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'``
+* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity.
+
 ## V8.13.404.2025.11.10
 * **Added**: [0020_dropbear_build.chroot](../config/hooks/live/0020_dropbear_build.chroot)
 * **Added**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot)
@@ -22,14 +45,14 @@ include_toc: true
 * **Added**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh)
 * **Added**: [dropbear](../config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear)
 * **Added**: [MAN_SSH_Host_Key_Policy.md](MAN_SSH_Host_Key_Policy.md)
-* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_luks_squash.hook.binary) + Preparing squashfs LUKS encryption
+* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Preparing squashfs LUKS encryption
 * **Bugfixes**: [generate_PRIVATE_trixie_0.yaml](../.gitea/workflows/generate_PRIVATE_trixie_0.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [generate_PUBLIC_iso.yaml](../.gitea/workflows/generate_PUBLIC_iso.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums)
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
 * **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h)
 * **Changed**: [.shellcheckrc](../.shellcheckrc)
 * **Changed**: [9940_hardening_memory.dump.chroot](../config/hooks/live/9940_hardening_memory.dump.chroot) + added: 9999-ciss-coredump-disable.conf
@@ -38,7 +61,7 @@ include_toc: true
 * **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6
 
 ## V8.13.400.2025.11.08
-* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
 * **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
 * **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
 * **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
@@ -55,16 +78,17 @@ include_toc: true
 * **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling
 
 ## V8.13.384.2025.11.06
+* **Global**: Debian bookworm support deprecated.
 * **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
 * **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
 * **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
 * **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
-* **Added**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
+* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
 * **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [0030-verify-checksums](../scripts/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
+* **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
 * **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
@@ -100,9 +124,6 @@ include_toc: true
 * **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration.
 * **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration.
 * **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation.
-* **Removed**: [0002_verify_checksums.chroot](../.archive/0002_verify_checksums.chroot) Unified handling via includes.chroot.
-* **Removed**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) Debian bookworm support deprecated.
-* **Removed**: [lib_lb_config_write.sh](../.archive/lib_lb_config_write.sh) Debian bookworm support deprecated.
 * **Updated**: [icon.lib](../.archive/icon.lib) + Emojis
 
 ## V8.13.298.2025.10.30
@@ -222,7 +243,6 @@ include_toc: true
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
 * **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
-* **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
 * **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
 * **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
@@ -241,7 +261,7 @@ include_toc: true
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
 
 ## V8.13.008.2025.08.22
-* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
+* **Removed**: [0003_install_backports.chroot]
 
 ## V8.13.004.2025.08.21
 * **Added**: [makefile](../makefile)
diff --git a/docs/CNET.md b/docs/CNET.md
index d0570d7..6c435bf 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Centurion Net - Developer Branch Overview
 
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index c91a7c5..d2a670c 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Coding Style
 
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 4c80ca6..c2d39b8 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Contributing / participating
 
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index 78650fb..089c476 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Credits
 
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index eb0cabd..264868b 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index 0c877b3..a8db3b3 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2.1. Usage
 ````text
                         CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.404.2025.11.10
+Master V8.13.408.2025.11.13
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -111,10 +111,11 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
     MUST be placed in:
     </dev/shm/cdlb_secrets/password.txt>
 
-  --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=*
+  --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=*
     The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is
     specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
     Specify the fingerprint of the key to use via '--signing_key_fpr=*'.
+    Optionally import an offline GPG CA signing public key via: '--signing_ca=*'.
     Change '*' to your desired files / fingerprint. Files MUST be placed in:
     </dev/shm/cdlb_secrets>
 
@@ -145,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
 
-                        V8.13.404.2025.11.10                        2025-11-06                         CDLB(1)
+                        V8.13.408.2025.11.13                        2025-11-06                         CDLB(1)
 ````
 
 # 3. Booting
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
new file mode 100644
index 0000000..c47d7b3
--- /dev/null
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -0,0 +1,185 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.408.2025.11.13<br>
+
+# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
+
+**Status:** 2025-11-12
+**Audience:** CICA CISO, CISS staff, technically proficient administrators
+**Summary:** The CISS.debian Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.
+
+# 3. Overview
+
+* **Trust anchor:** Pinned fingerprint (FPR) of the signing key embedded at build time in initramfs hooks.
+* **Integrity & authenticity verification:**
+
+  1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
+  2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
+* **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
+* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
+
+# 4. Primitives & Parameters (concise)
+
+| Component    | Primitive / Parameter                                     | Purpose                                               |
+|--------------|-----------------------------------------------------------|-------------------------------------------------------|
+| LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                       |
+| dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity/authenticity |
+| PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                     |
+| Signatures   | Ed25519, RSA-4096 (FPR pinned)                            | Public verifiability, non-repudiation                 |
+| Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                      |
+| Hash lists   | `sha512sum` format                                        | Deterministic content verification                    |
+| Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                 |
+
+# 5. End-to-End Boot Flow
+```mermaid
+sequenceDiagram
+  autonumber
+  participant FW as UEFI/BIOS
+  participant GRUB as GRUB
+  participant K as Kernel
+  participant I as initramfs + live-boot
+  participant D as Dropbear (optional)
+  participant C25 as CISS 0025 (live-premount)
+  participant C30 as CISS 0030 (live-bottom, early)
+  participant LUKS as LUKS2 + dm-integrity
+  participant RS as RootFS (SquashFS/Overlay)
+  participant C45 as CISS 0045 (live-bottom, late)
+
+  FW->>GRUB: Load kernel + initramfs
+  GRUB->>K: Boot kernel
+  K->>I: Pivot to initramfs (live-boot phases)
+  I->>D: (optional) Start Dropbear (remote unlock)
+  I->>C25: Run 0025: LUKS open (dm-crypt+integrity), mount SquashFS
+  C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
+  I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin, optional self-hash)
+  C30-->>I: OK → continue; FAIL → abort
+  I->>RS: Assemble overlay, switch_root
+  I->>C45: Run 0045: Verify root fs (gpgv, FPR pin) + dmsetup health
+  C45-->>I: OK → handoff to userspace; FAIL → abort
+```
+
+# 6. LUKS/dm-integrity Layering
+```mermaid
+graph TD
+  A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
+  B --> C[dm-crypt<br/>AES-XTS-512]
+  C --> D[Mapped device /dev/mapper/crypt_liveiso]
+  D --> E[SquashFS mount /run/live/rootfs]
+```
+
+**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
+
+# 7. Build-Time Core Step (LUKS)
+```sh
+cryptsetup luksFormat \
+  --batch-mode \
+  --cipher aes-xts-plain64 \
+  --integrity hmac-sha512 \
+  --iter-time 1000 \
+  --key-file "/proc/$$/fd/${KEYFD}" \
+  --key-size 512 \
+  --label crypt_liveiso \
+  --luks2-keyslots-size 16777216 \
+  --luks2-metadata-size 4194304 \
+  --pbkdf argon2id \
+  --sector-size 4096 \
+  --type luks2 \
+  --use-random \
+  --verbose \
+  "${LUKSFS}"
+```
+
+**Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
+
+# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
+
+**Goal:** Before consuming any medium content, verify:
+
+1. **Detached signature of `sha512sum.txt`** using `gpgv` against the embedded public key.
+2. **FPR pinning:** Parse `VALIDSIG` and require exact match with the build-time pinned FPR.
+3. **Optional:** *Script self-IA* – hash the executed hook and compare against the signed list (drift/bitrot detector).
+
+**Core call (initramfs):**
+
+```sh
+/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify sha512sum.txt.sig sha512sum.txt
+# parse [GNUPG:] VALIDSIG ... <FPR> ...
+```
+
+# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
+
+**Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
+
+* **Attestation files:** `/.ciss/attest/rootfs.sha512[.sig]`
+* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
+* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
+
+**Core calls (initramfs):**
+
+```sh
+# 1) Signature and FPR pin (no agent)
+/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify "$SIG" "$DATA"
+
+# 2) Optional: Content hash verification
+( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
+
+# 3) dmsetup health
+dmsetup table --showkeys /dev/mapper/crypt_liveiso
+dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
+```
+
+# 9. Failure Policy (fail-closed, deterministic)
+
+* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
+
+# 10. Dropbear (Hardened Remotely Unlock)
+
+```text
+• Public-key auth only, no passwords
+• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
+• No agent/X11/TCP forwarding, no SFTP
+• Strict timeouts/keep-alives, restricted cipher/KEX set
+• Port 42137 (per CISS convention)
+```
+
+*Concrete selection compiled via your `localoptions.h` at ISO build time.*
+
+# 11. Integration Points & Paths
+
+* **Hooks (build view):** `/usr/lib/live/boot/0025-...`, `/usr/lib/live/boot/0030-...`, `/usr/lib/live/boot/0045-...`
+* **Hooks (boot view):** `/scripts/live-premount/0025-...`, `/scripts/live-bottom/0030-...`, `/scripts/live-bottom/0045-...`
+* **Key files:**
+  * ISO edge (for 0030): embedded public key blob (project-specific name)
+  * Root FS (for 0045): `/etc/ciss/keys/*.gpg`
+* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
+
+# 12. Diagram: Trust Chain & Verification Paths
+
+```mermaid
+flowchart TD
+  A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
+  B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
+  C -->|OK| D[LUKS open (0025)]
+  D --> E[Mount RootFS]
+  E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
+  F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA512)]
+  C -- FAIL --> X[Abort]
+  F -- FAIL --> X
+  G -- FAIL --> X
+```
+
+# 13. Closing Remark
+
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md
index e7198cd..1b25d77 100644
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
 
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index 97d415a..e65c48c 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>
 
 # 2. Resources
 
diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh
index 4345111..0d62aec 100644
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -433,6 +433,12 @@ arg_parser() {
           shift 2
           ;;
 
+        --signing_ca=*)
+          # shellcheck disable=SC2034
+          declare -gx VAR_SIGNING_CA="${1#*=}"
+          shift 1
+          ;;
+
         --signing_key=*)
           # shellcheck disable=SC2034
           declare -gx VAR_SIGNER="true"
diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh
index 6edc55d..70304c6 100644
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -44,7 +44,7 @@ cdi() {
     tmp_entry="$(mktemp)"
     cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${VAR_KERNEL} boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
         initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
diff --git a/lib/lib_check_secrets.sh b/lib/lib_check_secrets.sh
index 23527c6..66c04a6 100644
--- a/lib/lib_check_secrets.sh
+++ b/lib/lib_check_secrets.sh
@@ -25,6 +25,12 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 x_remove() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 
+  declare _old_nullglob="" _old_dotglob=""
+
+  ### Enable nullglob/dotglob, disable failglob for safe globbing.
+  _old_nullglob="$(shopt -p nullglob || true)"
+  _old_dotglob="$( shopt -p dotglob  || true)"
+
   shopt -s nullglob dotglob
 
   if [[ "${VAR_SIGNER}" == "true" ]]; then
@@ -45,7 +51,8 @@ x_remove() {
 
   fi
 
-  shopt -u nullglob dotglob
+  eval "${_old_nullglob}" 2>/dev/null || true
+  eval "${_old_dotglob}"  2>/dev/null || true
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
 
diff --git a/lib/lib_ciss_signatures.sh b/lib/lib_ciss_signatures.sh
new file mode 100644
index 0000000..592faa0
--- /dev/null
+++ b/lib/lib_ciss_signatures.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SRCE}"
+
+#######################################
+# MUST be executed before 'ciss_upgrades_boot()'.
+# Module to export GPG FPRs into scripts:
+#  - /etc/initramfs-tools/files/unlock_wrapper.sh
+#  - /usr/lib/live/boot/0030-ciss-verify-checksums
+#  - /usr/lib/live/boot/0042-ciss-post-decrypt-attest
+# Globals:
+#   BASH_SOURCE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_SIGNING_CA
+#   VAR_SIGNING_CA_FPR
+#   VAR_SIGNING_KEY_FPR
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+ciss_signatures() {
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+
+  declare -ar _ary_target=(
+    "/etc/initramfs-tools/files/unlock_wrapper.sh"
+    "/usr/lib/live/boot/0030-ciss-verify-checksums"
+    "/usr/lib/live/boot/0042-ciss-post-decrypt-attest"
+    )
+
+  declare _target="" target=""
+
+  for _target in "${_ary_target[@]}"; do
+
+    declare target="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/${_target}"
+
+    sed -i -e "s|@EXP_FPR@|${VAR_SIGNING_KEY_FPR}|g" "${target}"
+
+    if [[ -n "${VAR_SIGNING_CA}" ]]; then
+
+      sed -i -e "s|@EXP_CA_FPR@|${VAR_SIGNING_CA_FPR}|g" "${target}"
+
+    else
+
+      sed -i -e '/@EXP_CA_FPR@/d' "${target}"
+
+    fi
+
+  done
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_signatures
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/lib/lib_ciss_upgrades_boot.sh b/lib/lib_ciss_upgrades_boot.sh
index 1ab1c48..2561784 100644
--- a/lib/lib_ciss_upgrades_boot.sh
+++ b/lib/lib_ciss_upgrades_boot.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,7 +13,10 @@
 guard_sourcing || return "${ERR_GUARD_SRCE}"
 
 #######################################
-# Integrates primordial SSH identity- and / or ssh_host-files.
+# Integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts:
+#  - /.ciss/attestation/VAR_SIGNING_KEY_FPR.*
+#  - /etc/initramfs-tools/files/unlock_wrapper.sh
+#  - /usr/lib/live/boot/0030-ciss-verify-checksums
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
@@ -28,25 +31,30 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 ciss_upgrades_boot() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 
-  ### Updates '/usr/lib/live/boot/0030-verify-checksums'.
-  if [[ ! -f "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" ]]; then
+  declare -ar _ary_target=(
+    "/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
+    "/etc/initramfs-tools/files/unlock_wrapper.sh"
+    "/usr/lib/live/boot/0030-ciss-verify-checksums"
+  )
 
-    install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
+  declare _target="" target=""
 
-    install    -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  for _target in "${_ary_target[@]}"; do
 
-  fi
+    declare target="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/${_target}"
 
-  declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt"
-  declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt.sig"
-  declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
-  declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
+    declare var_sha="${target}sha512sum.txt"
+    declare var_sig="${var_sig}.sig"
+    declare var_fil="${target}"
+    declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
 
-  # shellcheck disable=SC2312
-  sha512sum "${var_fil}" | sed "s|${var_prefix}||" >| "${var_sha}"
+    # shellcheck disable=SC2312
+    sha512sum "${var_fil}" | sed "s|${var_prefix}||" >| "${var_sha}"
 
-  gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
-    --detach-sign --output "${var_sig}" "${var_sha}"
+    gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
+      --detach-sign --output "${var_sig}" "${var_sha}"
+
+  done
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
 
diff --git a/lib/lib_gnupg.sh b/lib/lib_gnupg.sh
index 7002688..ec68026 100644
--- a/lib/lib_gnupg.sh
+++ b/lib/lib_gnupg.sh
@@ -21,6 +21,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_EARLY_DEBUG
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SIGNER
+#   VAR_SIGNING_CA
+#   VAR_SIGNING_CA_FPR
 #   VAR_SIGNING_KEY
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASS
@@ -43,7 +45,7 @@ init_gnupg() {
     umask 0077
 
     ### Avoid collision with Gitea runner workflows.
-    if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
+    if [[ "${VAR_CDLB_INSIDE_RUNNER}" != "true" ]]; then
 
       printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
 
@@ -92,14 +94,34 @@ EOF
 
     fi
 
+    ### Optionally, import offline GPG CA public keys.
+    if [[ -n "${VAR_SIGNING_CA}" ]]; then
+
+      # shellcheck disable=SC2155
+      declare -gx VAR_SIGNING_CA_FPR="$(
+        gpg --batch --with-colons --import-options show-only --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}" \
+          | awk -F: '$1=="pub"{seen_pub=1; next} seen_pub && $1=="fpr"{print $10; exit}'
+      )"
+
+      if ! gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"; then
+
+        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import CA public key. \e[0m\n"
+        return "${ERR_GPG__AGENT}"
+
+      fi
+
+    fi
+
     shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
+    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"
 
     ### Export public key for verification inside ISO / chroot.
     install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
     install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
     gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg"
-    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/unlock_wrapper_pubring.gpg"
-    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg"
+    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_KEY_FPR}.gpg"
+    [[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_CA_FPR}.gpg"
+    [[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_CA_FPR}.gpg"
 
     umask "${__umask}"
     __umask=""
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index 895716b..16df73b 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -45,7 +45,7 @@ lb_config_write_trixie() {
     --binary-filesystem fat32 \
     --binary-image iso-hybrid \
     --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
     --bootloaders grub-efi \
     --cache true \
     --checksums sha512 sha384 sha256 \
diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh
index a72d6f0..1bcced9 100644
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -13,7 +13,7 @@
 guard_sourcing || return "${ERR_GUARD_SRCE}"
 
 #######################################
-# Integrate primordial SSH identity files.
+# Integrates CISS dropbear and SOPS Age Key and CISS and PhysNet primordial SSH identity files.
 # Globals:
 #   BASH_SOURCE
 #   VAR_AGE
@@ -30,8 +30,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 init_primordial() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 
+  ### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
   declare var_dropbear_version="2025.88"
-  declare var_unlock_wrapper="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh"
 
   install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
   install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
@@ -44,15 +44,6 @@ init_primordial() {
   install    -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
     "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.file"
 
-  # shellcheck disable=SC2312
-  sha512sum "${VAR_WORKDIR}/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh" | awk '{print $1}' \
-    >| "${var_unlock_wrapper}.sha512sum.txt"
-
-  gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
-    --detach-sign --output "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
-
-  gpgv --keyring "${VAR_VERIFY_KEYRING}" "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
-
   ### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
   if [[ "${VAR_AGE,,}" == "true" ]]; then
 
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index c3c968e..0e40e34 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.404.2025.11.10                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.408.2025.11.13                        2025-11-06                         CDLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m"
+    echo -e "\e[92mMaster V8.13.408.2025.11.13\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -141,10 +141,11 @@ usage() {
     echo "    MUST be placed in:"
     echo "    </dev/shm/cdlb_secrets/password.txt>"
     echo
-    echo -e "\e[97m  --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=* \e[0m"
+    echo -e "\e[97m  --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=* \e[0m"
     echo "    The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
     echo "    specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file."
     echo "    Specify the fingerprint of the key to use via '--signing_key_fpr=*'."
+    echo "    Optionally import an offline GPG CA signing public key via: '--signing_ca=*'."
     echo "    Change '*' to your desired files / fingerprint. Files MUST be placed in:"
     echo "    </dev/shm/cdlb_secrets>"
     echo
diff --git a/scripts/usr/lib/live/boot/0030-verify-checksums b/scripts/usr/lib/live/boot/0030-ciss-verify-checksums
similarity index 83%
rename from scripts/usr/lib/live/boot/0030-verify-checksums
rename to scripts/usr/lib/live/boot/0030-ciss-verify-checksums
index 2714a56..8bc8a80 100644
--- a/scripts/usr/lib/live/boot/0030-verify-checksums
+++ b/scripts/usr/lib/live/boot/0030-ciss-verify-checksums
@@ -4,7 +4,7 @@
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -15,7 +15,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
+### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 
 #######################################
@@ -29,7 +29,11 @@
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
-  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
+  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
+
+  ### Will be replaced at build time:
+  export CDLB_EXP_FPR="@EXP_FPR@"
+  export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
 
   ### Declare variables --------------------------------------------------------------------------------------------------------
   _MOUNTPOINT="${1}"
@@ -71,19 +75,6 @@ Verify_checksums() {
 
   done
 
-  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
-  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
-
-    if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
-
-      _KEYFILE="${_MP}/0030-verify-checksums.gpg"
-
-      break
-
-    fi
-
-  done
-
   ### Check if the function should be skipped ----------------------------------------------------------------------------------
   case "${LIVE_VERIFY_CHECKSUMS}" in
 
@@ -97,13 +88,33 @@ Verify_checksums() {
 
   esac
 
+  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
+  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
+
+    if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
+
+      _KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
+
+      if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
+
+        _CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
+
+      fi
+
+      break
+
+    fi
+
+  done
+
   # shellcheck disable=SC2164
   cd "${_MOUNTPOINT}"
 
+
   ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
   if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
 
-    log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
+    log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
     printf "\n"
 
     _CAND=""
@@ -112,7 +123,7 @@ Verify_checksums() {
     CDLB_CMD="/usr/bin/sha512sum"
     CDLB_SHA="sha512"
 
-    for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
+    for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums; do
 
       [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
 
@@ -124,9 +135,25 @@ Verify_checksums() {
     CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
     CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
 
+    _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
 
-    printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
+    _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
 
+    ### Compare against pinned and expected fingerprint.
+    if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
+
+      printf "\e[92m[INFO] Signer fingerprint match: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
+
+    else
+
+      printf "\e[91m[FATAL] Signer fingerprint mismatch: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
+      sleep 16
+      panic        "[FATAL] Signer fingerprint mismatch: got [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
+
+    fi
+
+    ### Script self-integrity and authenticity checks --------------------------------------------------------------------------
+    ### Assumption: initramfs itself is not altered.
     printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
 
     if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
diff --git a/scripts/usr/lib/live/build/binary_checksums.sh b/scripts/usr/lib/live/build/binary_checksums.sh
index f4b4c0d..1933a5f 100644
--- a/scripts/usr/lib/live/build/binary_checksums.sh
+++ b/scripts/usr/lib/live/build/binary_checksums.sh
@@ -1,9 +1,10 @@
 #!/bin/sh
 # bashsupport disable=BP5007
+# shellcheck disable=SC2249
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
@@ -85,6 +86,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
 		\! -path './isolinux/isolinux.bin' \
 		\! -path './boot/boot.bin' \
 		\! -path './boot/grub/stage2_eltorito' \
+    \! -path './live/filesystem.squashfs' \
 		\! -path './*SUMS' \
 		\! -path './*sum.txt' \
 		\! -path './*sum.README' \
diff --git a/scripts/usr/lib/live/build/binary_rootfs.sh b/scripts/usr/lib/live/build/binary_rootfs.sh
index a132dd6..e2995a4 100644
--- a/scripts/usr/lib/live/build/binary_rootfs.sh
+++ b/scripts/usr/lib/live/build/binary_rootfs.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 # bashsupport disable=BP5007
+# shellcheck disable=SC2249
 # shellcheck shell=sh
 
 # SPDX-Version: 3.0
diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh
index c20edb9..00d8ce4 100644
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -17,8 +17,8 @@ declare -grx  VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear.
 declare -girx VAR_TIMEOUT=3600               # Semaphore timer in seconds.
 
 install -d -m 0755 /run/lock
-exec 9> /run/lock/9999-cdi-starter.lock
-flock -n 9 || { echo "9999-cdi-starter already running. Exiting."; exit 0; }
+exec 9> /run/lock/9999_cdi_starter.lock
+flock -n 9 || { echo "9999_cdi_starter already running. Exiting."; exit 0; }
 
 #######################################
 # Call into the CISS.debian.installer once the semaphore file is present.
@@ -44,6 +44,7 @@ cdi() {
 
   if [[ "${rc}" -eq 0 ]]; then
 
+    ### In autoinstall mode this command should never be reached due to the reboot command inside ciss_debian_installer.sh.
     logger -t cdi-watcher "cdi(): ciss_debian_installer.sh completed SUCCESSFULLY [${rc}]."
     exit 0
 
@@ -71,7 +72,7 @@ net_wait() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -i i=1
 
-  for i in {1..30}; do
+  for i in {1..60}; do
 
     getent hosts git.coresecret.dev >/dev/null && break
     sleep 1
@@ -126,16 +127,18 @@ main() {
   # shellcheck disable=SC2312
   exec > >(tee -a "${var_log}") 2>&1
 
-  printf "CISS.debian.installer Master V8.13.404.2025.11.10 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.408.2025.11.13 is up! \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
   sleep 8
 
   ### Harden Kernel parameters.
+  printf "Command: [sysp] to be executed ... \n" >> "${var_log}"
   sysp
   printf "Command: [sysp] executed.\n" >> "${var_log}"
 
   ### Wait for network connectivity.
+  printf "Command: [net_wait] to be executed ... \n" >> "${var_log}"
   net_wait
   printf "Command: [net_wait] executed.\n" >> "${var_log}"
 
@@ -148,7 +151,6 @@ main() {
   git clone "${var_repo_url}" "${var_repo_dir}"
   chmod 0700 "${var_repo_dir}/ciss_debian_installer.sh"
   cd "${var_repo_dir}"
-
   printf "Command: [git clone %s %s] executed.\n" "${var_repo_url}" "${var_repo_dir}" >> "${var_log}"
 
   ### Poll up to VAR_TIMEOUT seconds for the semaphore to appear and be mode 0600.
@@ -181,7 +183,7 @@ main() {
 
   ### Timeout reached without acceptable semaphore.
   logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.404.2025.11.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.408.2025.11.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
 
   exit 0
 }
diff --git a/var/early.var.sh b/var/early.var.sh
index 7c25dce..713d342 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.404.2025.11.10"
+declare -grx VAR_VERSION="Master V8.13.408.2025.11.13"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
   # Print $4 and $5; include $6 only if it exists
   out = $4
diff --git a/var/global.var.sh b/var/global.var.sh
index fa344b1..6ce1ba2 100644
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -54,6 +54,8 @@ declare -gx VAR_AGE_KEY=""
 declare -gx VAR_LUKS="false"
 declare -gx VAR_LUKS_KEY=""
 declare -gx VAR_SIGNER="false"
+declare -gx VAR_SIGNING_CA=""
+declare -gx VAR_SIGNING_CA_FPR=""
 declare -gx VAR_SIGNING_KEY_FPR=""
 declare -gx VAR_SIGNING_KEY_PASS=""
 declare -gx VAR_SIGNING_KEY_PASSFILE=""