rampke.de Archive

HOWTO: Installing grml 1.1 on an encrypted USB stick

26 August 2008

grml is a Debian Sid based live Linux aimed at system recovery. It also offers installing to a hard disk while retaining the hardware autodetection. This is how to put a portable Linux on an encrypted USB drive. grml is a Debian Sid based live Linux aimed at system recovery. It also offers installing to a hard disk while retaining the hardware autodetection. This is how to put a portable Linux on an encrypted USB drive. This walkthrough is based on Tim Janik’s DebianEncryption. Credit also goes to ml for making me aware of grml.

Prerequisites

You will need

The latter two need not be identical. This process will work well within VirtualBox except for booting from USB, which is not supported.

Installing

Boot the working system. Plug in the USB stick. In /dev a few usb-sd*-devices will emerge after a few seconds. I will assume this is usb-sda (and possibly usb-sdaN). Run cfdisk /dev/usb-sda. Delete all partitions. Create one 50 100 MB partition and one using the remaining space. Write to disk and quit.

Run grml2hd. In the Partitions dialog select the larger of the just created partitions. The device may be named sda, this is ok; just be careful not to trash your hard disk. In the next dialog, install the bootloader to MBR. Be careful: select mbr, then press the SPACE key, and only then press ENTER. Choose a filesystem of your liking, ext3 is fine. Start the installation and go get some coffee.

Now it’s time to answer some more questions. No change for the bootparameters. Choose a name for your system Select your keyboard and language settings - these will be the defaults on boot, but you can always invoke grml-quickconfig to change the keyboard setting temporarily. Enter root and user password. Continue with the default options, but choose Grub as boot manager.

Create a file system on the 100 MB partition, mount both and move the /boot directory:

mkfs.ext3 /dev/usb-sda1
mount /dev/usb-sda1 /mnt/usb-sda1 -t ext3
mount /dev/usb-sda2 /mnt/usb-sda2 -t ext3
cp -ax /mnt/usb-sda2/boot/. /mnt/usb-sda1/.
rm -R /mnt/usb-sda2/boot/*

Get the volume id of your boot partition: vol_id --uuid /dev/usb-sda1. Now edit /mnt/usb-sda2/etc/fstab and insert right after the first line (this is one line):

/dev/disk/by-uuid/<volume id of your boot partition> /boot ext3 errors=remount-ro 0 1

Edit /mnt/usb-sda1/grub/menu.lst: change the line <pre># groot=(hd?,1)</pre> (where ? is any number) to <pre># groot=(hd0,0)</pre>

Now chroot into the usb system, mount some filesystems and update Grub:

mount --bind /dev /mnt/usb-sda2/dev
chroot /mnt/usb-sda2
mount /dev/usb-sda1 /boot -t ext3
mount /sys && mount /proc
echo "(hd0) /dev/sda" > /boot/grub/device.map
update-grub && grub-install /dev/usb-sda

You should now be able to boot from your USB system.

Encrypting

Boot into the working system again and plug in the USB stick. It may be advisable to do a complete backup of your progress so far; to do that mount your hard disk (mount /mnt/<your HD>) and run

dd if=/dev/usb-sda of=/mnt/<your HD>/<somewhere safe> bs=1M

Copy the contents of your root partition to your HD:

mount /dev/usb-sda2 /mnt/usb-sda2 -t ext3
cp -ax /mnt/usb-sda2/ /mnt/<your HD>/<somwhere safe>/
umount /mnt/usb-sda2

Now overwrite the root partition with random data, so unused sectors can not be distinguished:

dd if=/dev/urandom of=/dev/usb-sda2 bs=1M

Take a walk. Now it’s time to setup the encrypted device and copy the system files back:

echo "root /dev/usb-sda2 none luks" >> /etc/crypttab
cryptsetup luksFormat /dev/usb-sda2
/etc/init.d/cryptdisks start
mkfs.ext3 /dev/mapper/root
mkdir /mnt/root
mount /dev/mapper/root /mnt/root -t ext3
cp -ax /mnt/<your HD>/<somwhere safe>/. /mnt/root/.

It is advisable to choose a passphrase which can be easily typed on most keyboard layouts, i.e. which consists only of numbers and letters, and no y or z. You will have to type it at system boot, before any keymap is loaded.

chroot into the USB system:

mount --bind /dev /mnt/root/dev
chroot /mnt
rm -f /etc/mtab && touch /etc/mtab
mount -o remount /
mount /proc && mount /sys && mount /boot

Edit /etc/fstab: change the root line (where the second column is just /) to <pre>/dev/mapper/root / ext3 errors=remount-ro 0 1</pre>

Edit /boot/grub/menu.lst: change the # kopt= line to

# kopt=root=/dev/mapper/root rootdelay=15 ro

Note the output of vol_id --uuid /dev/usb-sda2 and edit /etc/crypttab: Insert the line

root /dev/disk/by-uuid/<output of vol_id> none luks

Run update-initramfs -u && update-grub. This is it, your USB system is ready to boot.