Alejandro R. Mosteo

website

  • Increase font size
  • Default font size
  • Decrease font size

A simple way to prepare a portable bootable encrypted Debian USB key/pendrive

For some time I had wanted to have a live Linux distro in my keychain. This, in turn, preferably required encryption of, at least, the home partition.

Obvious candidates need not to be named. I thus searched for a simple tutorial and, while some exhaustive ones exist (mostly for Arch, Gentoo, and Debian), all of them required a quite custom and long (i.e. error-prone in my hands) procedure.

Me being a natural1 person, I tossed these aside and went for the obvious, dummy way. Since due to space limitations I didn't want to have a separate /home partition, Ubuntu was out of the picture (because it only allows, during install, to encrypt /home). Instead, I turned to Debian netinst, which I had recently used in a VirtualBox image. And so I did:

  1. Create, in VirtualBox, a VM without hard drive, enough memory for Debian netinst (I guess around 512MB should be more than enough), and USB support.
  2. Configure this VM with the Debian netinst image as mounted CD, and boot from it.
  3. Plug-in the USB key, pass ownership of it to the VM just being booted.
  4. Proceed with standard Debian installation. When partitioning arrived, I could select my USB key as if it were any regular hard drive. Select encryption of everything but a small /boot partition. This way almost all usable space in the pendrive goes to the root partition which also comprises /home. You could separate them if you prefer. I also threw in a small swap partition, also encrypted. I don't very much care about flash wear, for this system is to be used sporadically on unknown machines.
  5. Complete installation, shut down the VM, unmount the USB key, boot from it in some machine to verify installation.
  6. Delight on being asked your password in the early stages of console boot and everything working out of the box.
  7. Optional further steps:
    1. Insert the key in another running Linux (e.g. my desktop Ubuntu). Encrypted partitions are detected, you'll be asked for your password so you can unlock and mount them. I took advantage of this to unlock (but not mount) the USB root partition in order to remove the ext3 journal and downgrade to ext2 (and don't forget to change it in /etc/fstab), which is said to be preferable in flash media (did I just say that I don't care about flash wear? Well, if it can be avoided...)
    2. Change from stable to unstable in /etc/apt/sources.list if you prefer (as I do) a more bleeding-edge system. Boot from USB and upgrade system.
    3. Install restricted drivers, every other wifi firmware (look for firmware-* packages) in order to be ready when you use this pendrive in some unknown machine.
    4. Install some GUI if you like (nowadays I go with xfce4 after the KDE and Gnome debacles).
    5. Customize to your liking, whatever.
    6. Update regularly.

All in all, this was easy-peasy as any other regular installation. I was mildly2 surprised that it worked in the first try, to be honest. Even more that nobody3 else (that I could found) had documented this easier procedure to have a fully (but for /boot, of course) bootable live Debian USB.

1In the sense that mother Nature always finds the path of least resistance, i.e. effort.
2With nowadays generalized use of UUIDs and computers being regularly able to boot from USB, not so much really.
3I just learned about package live-magic which frankly makes this post moot (although it is broken in Ubuntu). As it often happens in my current world of ignorance. Sheesh.