The officially official Devuan Forum!

You are not logged in.

#1 2020-02-14 19:44:27

Hvkc37.
Member
Registered: 2020-02-14
Posts: 2  

Encrypted portable instalation on a flashdrive.

Hello, i would like to create an encrypted installation of Devuan on an USB stick that i can boot into on multiple computers. Could you please give me a hand? I'm not quite sure how to go about it.
It's not the first time i installed Linux, i used Debian previously for quite some time and installing linux encrypted is not the problem, it's the bootable on multiple PCs part I'm having trouble figuring out, though i imagine the encryption might require some tweaking too if I want the stick to work on multiple computers, i really have no idea.
I know I'm probably not going to have full disc encryption but i would like to encrypt more than just /home, encrypting the entire / partition with only /boot left readable would be ideal.
Could you please give me some instructions on how to go about installing Devuan in this way?

Offline

#2 2020-02-15 02:54:21

dzz
Member
From: Exmouth, South West England
Registered: 2016-12-01
Posts: 30  

Re: Encrypted portable instalation on a flashdrive.

My usual method is an out-of-the-box live image (Refracta is the prime candidate but there are others) with LUKS encrypted full persistence. The live image is tailored to suit as many machines as possible. The persistence is a custom overlayfs, can be a (decent size) file or a partition. On boot it will prompt for the LUKS key, if you don't have that it will continue to boot to only the basic, default live image. The security of the rest is down to the strength of your encryption key.

It's quite surprising how quickly and efficiently such a system can run..

Offline

#3 2020-02-15 10:44:48

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 983  
Website

Re: Encrypted portable instalation on a flashdrive.

If you decide to go with a conventional installation to the USB stick:

Hvkc37. wrote:

I know I'm probably not going to have full disc encryption

It is possible to have full disk encryption with /boot included: https://bugs.debian.org/cgi-bin/bugrepo … =814798#15

To have a system that is bootable from both UEFI & non-UEFI machines use a GUID partition table (GPT) and include a BIOS boot partition[1] as well as an EFI system partition (ESP)[2] then install in non-UEFI mode, boot the system and run

# apt install grub-efi-{amd64,ia32}-bin
# mount /dev/sdXY /mnt
# grub-install --target=x86_64-efi --efi-directory=/mnt --removable
# grub-install --target=i386-efi --efi-directory=/mnt --removable

^ That will install the 32- & 64-bit UEFI versions of GRUB and allow booting in both modes (replace X & Y with the drive letter & partition number assigned to the ESP).

There is a chance that some very old machines won't boot from a GUID partition table but I think the above method gives the best chance of universality.

[1] Apply the "bios_grub" flag in gparted or type "EF02" in gdisk, it should have no filesystem, I prefer to use sectors 34-2047 which should be free in a correctly aligned disk.

[2] Apply the "boot,esp" flag in gparted or type "EF00" in gdisk, it should be FAT-formatted, I prefer to use 512MiB but ~100MiB should be plenty.

Last edited by Head_on_a_Stick (2020-02-15 16:20:51)


Black Lives Matter

Offline

#4 2020-02-15 19:02:15

Hvkc37.
Member
Registered: 2020-02-14
Posts: 2  

Re: Encrypted portable instalation on a flashdrive.

dzz wrote:

On boot it will prompt for the LUKS key, if you don't have that it will continue to boot to only the basic, default live image. The security of the rest is down to the strength of your encryption key.

This is interesting, can you make the prompt "invisible"? So it just shows a blinking cursor but it doesn't show any symbols when typing, if you enter a wrong password or just press enter it continues booting into a barebones live USB install?
If so, how would i go about setting a system up in that way?

Offline

#5 2020-02-15 21:30:57

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,624  

Re: Encrypted portable instalation on a flashdrive.

Hvkc37. wrote:
dzz wrote:

On boot it will prompt for the LUKS key, if you don't have that it will continue to boot to only the basic, default live image. The security of the rest is down to the strength of your encryption key.

This is interesting, can you make the prompt "invisible"? So it just shows a blinking cursor but it doesn't show any symbols when typing, if you enter a wrong password or just press enter it continues booting into a barebones live USB install?
If so, how would i go about setting a system up in that way?

You can "hide" the boot entry for booting with persistence (i.e. with your encrypted system) by not having that entry in the boot menu. You would then need to press TAB (for isolinux) or e (for grub) to edit the boot menu and add the extra boot options manually. Then, anyone who doesn't know the persistent volume exists would just see the entry for the normal, read-only live system, and that's what would boot. The problem with that method is that you have to type a few extra options on the boot command. (I've been making live-usb sticks like this for years, and I still have to check the syntax on some of the options.)

It's also possible to hide the entire boot menu. Then you would need to press a key to make it appear so you can select the second boot option (boot with persistence). Without the secret key press, you'd boot to the read-only system that does not have any of your personal files.

Here's a tool that will let you create the kind of live-usb that dzz described.
https://sourceforge.net/projects/refrac … b/download

And here are the instructions for its use:
https://refracta.org/docs/readme.refracta2usb.txt

There may be a trickier way to do it so that you only have to type one word to create all the extra options for persistence, but that would require hacking on some live-boot scripts and some testing.

Offline

#6 2020-02-16 02:44:22

dzz
Member
From: Exmouth, South West England
Registered: 2016-12-01
Posts: 30  

Re: Encrypted portable instalation on a flashdrive.

The prompt is something like "Enter passphrase for <your-persistence-media>" after syslinus/isolinux/grub but while still in initramfs. The console doesn't show what you type. If it's incorrect after (if I remember right) 3  attempts then yes, barebones live image only boots.

The excellent tool fsmithred linked uses syslinux, IMO a better way than dd or cat (the usual "mainstream" methods), to get a bootable USB for live images..

EDIT: The prompt (in my newest beowulf image) is actually "Please unlock disk /dev/whatever" (here it's loop0, I use a persistence image file). It prints an error if you get it wrong and invites to retry or not. The boot initrd must have dmcrypt support built in.

Last edited by dzz (2020-02-16 04:37:32)

Offline

Board footer