grml is a Debian Sid based live Linux aimed at system recovery. It also offers installing to a hard disk while retaining the hardware autodetection. This is how to put a portable Linux on an encrypted USB drive. grml is a Debian Sid based live Linux aimed at system recovery. It also offers installing to a hard disk while retaining the hardware autodetection. This is how to put a portable Linux on an encrypted USB drive. This walkthrough is based on Tim Janik’s DebianEncryption. Credit also goes to ml for making me aware of grml.
You will need
The latter two need not be identical. This process will work well within VirtualBox except for booting from USB, which is not supported.
Boot the working system. Plug in the USB stick. In
/dev a few
usb-sd*-devices will emerge after a few seconds. I will assume this is
usb-sda (and possibly
cfdisk /dev/usb-sda. Delete all partitions. Create one
50 100 MB partition and one using the remaining space. Write to disk and quit.
grml2hd. In the Partitions dialog select the larger of the just created partitions. The device may be named
sda, this is ok; just be careful not to trash your hard disk. In the next dialog, install the bootloader to MBR. Be careful: select
mbr, then press the
SPACE key, and only then press
ENTER. Choose a filesystem of your liking,
ext3 is fine. Start the installation and go get some coffee.
Now it’s time to answer some more questions. No change for the bootparameters. Choose a name for your system Select your keyboard and language settings - these will be the defaults on boot, but you can always invoke
grml-quickconfig to change the keyboard setting temporarily. Enter root and user password. Continue with the default options, but choose Grub as boot manager.
Create a file system on the 100 MB partition, mount both and move the
mkfs.ext3 /dev/usb-sda1 mount /dev/usb-sda1 /mnt/usb-sda1 -t ext3 mount /dev/usb-sda2 /mnt/usb-sda2 -t ext3 cp -ax /mnt/usb-sda2/boot/. /mnt/usb-sda1/. rm -R /mnt/usb-sda2/boot/*
Get the volume id of your boot partition:
vol_id --uuid /dev/usb-sda1. Now edit
/mnt/usb-sda2/etc/fstab and insert right after the first line (this is one line):
/dev/disk/by-uuid/<volume id of your boot partition> /boot ext3 errors=remount-ro 0 1
/mnt/usb-sda1/grub/menu.lst: change the line <pre>
# groot=(hd?,1)</pre> (where
? is any number) to <pre>
chroot into the usb system, mount some filesystems and update Grub:
mount --bind /dev /mnt/usb-sda2/dev chroot /mnt/usb-sda2 mount /dev/usb-sda1 /boot -t ext3 mount /sys && mount /proc echo "(hd0) /dev/sda" > /boot/grub/device.map update-grub && grub-install /dev/usb-sda
You should now be able to boot from your USB system.
Boot into the working system again and plug in the USB stick. It may be advisable to do a complete backup of your progress so far; to do that mount your hard disk (
mount /mnt/<your HD>) and run
dd if=/dev/usb-sda of=/mnt/<your HD>/<somewhere safe> bs=1M
Copy the contents of your root partition to your HD:
mount /dev/usb-sda2 /mnt/usb-sda2 -t ext3 cp -ax /mnt/usb-sda2/ /mnt/<your HD>/<somwhere safe>/ umount /mnt/usb-sda2
Now overwrite the root partition with random data, so unused sectors can not be distinguished:
dd if=/dev/urandom of=/dev/usb-sda2 bs=1M
Take a walk. Now it’s time to setup the encrypted device and copy the system files back:
echo "root /dev/usb-sda2 none luks" >> /etc/crypttab cryptsetup luksFormat /dev/usb-sda2 /etc/init.d/cryptdisks start mkfs.ext3 /dev/mapper/root mkdir /mnt/root mount /dev/mapper/root /mnt/root -t ext3 cp -ax /mnt/<your HD>/<somwhere safe>/. /mnt/root/.
It is advisable to choose a passphrase which can be easily typed on most keyboard layouts, i.e. which consists only of numbers and letters, and no y or z. You will have to type it at system boot, before any keymap is loaded.
chroot into the USB system:
mount --bind /dev /mnt/root/dev chroot /mnt rm -f /etc/mtab && touch /etc/mtab mount -o remount / mount /proc && mount /sys && mount /boot
/etc/fstab: change the root line (where the second column is just
/) to <pre>
/dev/mapper/root / ext3 errors=remount-ro 0 1</pre>
/boot/grub/menu.lst: change the
# kopt= line to
# kopt=root=/dev/mapper/root rootdelay=15 ro
Note the output of
vol_id --uuid /dev/usb-sda2 and edit
/etc/crypttab: Insert the line
root /dev/disk/by-uuid/<output of vol_id> none luks
update-initramfs -u && update-grub. This is it, your USB system is ready to boot.