#include This is an extension to Howto install
Debian on a USB stick. Filesystem options apply to an encrypted
system as well. If you are unable to add these options during
installation you can always alter The installation of Debian on an encrypted USB stick is very easy.
Starting with Debian GNU/Linux 5.0 alias Hence, selecting the option "Guided - use entire disk and set up
encrypted LVM" as target will create a After booting the new system the initial ramdisk will ask for the
password to unlock the encrypted container and continue with the
system boot process. After adding the A problem arises however, when Linux numbers your stick differently
than during the installation. In that case the initial ramdisk cannot
unlock the proper container and the system cannot be bootet further. You'll need an existing GNU/Linux system to rebuild the inital
ramdisk so that the proper container can be unlocked. Mount the
Howto install Debian encryptedly on a USB stick
/etc/fstab
later.lenny
the
installation automatically supports encrypted LUKS containers that
contain swap space and the root filesystem./boot
partition of
255MB size and use the remaining space on the stick as encrypted LUKS
container for swap and the root filesystem.rootdelay
parameter to GRUB you will be able to boot into your new system./boot
partition (probably /dev/sdb1
) of your
USB stick and extract the initial ramdisk for inspection:
sudo mount /dev/sdb1 /mnt
mkdir /tmp/initrd
cd /tmp/initrd
zcat /mnt/initrd.img-2.6.26-2-686 | cpio -i
The file /conf/conf.d/cryptroot
contains the mapping
between encrypted containers and filesystems. The file looks like:
target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-root target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-swap_1
You'll need to adjust the encrypted device names to use UUID as
well. The blkid
program will help you find out the
proper id. After your adjustments the file should look like:
target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-root target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-swap_1
After these adjustments the initial ramdisk needs to be rebuilt and
installed in /boot
again:
cd /tmp/initrd find . | cpio -R 0:0 --reproducible -o -H newc | gzip > ../initrd.img sudo cp ../initrd.img /mnt/initrd.img-2.6.26-2-686
USB sticks tend to be too small for what they are needed.
Therefore it is a good idea to save as much space as possible. You
don't need 256 MB for /boot
for example. 64 MB space is
sufficient for two kernels and initrd. Since USB sticks also tend to
be slow for write accesses their usefullness as swap device is highly
questionable. To have some more space for your GNU/Linux system, you
may want to skip the swap partition as well.
Select "Manual" in the partitioner and clean remov all partitions
from the USB stick. Next create your boot partition of the size you
prefer and select ext2
as filesystem. Don't forget the
noatime
and relatime
options.
The next step is to create the encrypted container for your root filesystem. Create another partition on your stick but don't assign a filesystem to it. Select "Physical volume for encryption" instead. Then switch back to the partition menu.
Now select "Configure encrypted volumnes" and prepare the new
partition. You should be prepared to enter a long passphrase to
protect the encrypted container. Wiping the disk before will take a
while. Use it to generate a good passphrase. After the container has
been created an ext3
filesystem is built upon it. You
can switch to ext2
and select filesystem options later.
The filesystem will be rebuilt afterwards.
The rest of the installation is as usual. Select the meta packages you'd like to install and install GRUB in the master boot record. Booting the system after reboot might not work, so you'll need an existing GNU/Linux system to alter the initial ramdisk.
Find out the UUID of the partition hosting the encrypted container
and adjust the config file /conf/conf.d/cryptroot
to use
the UUID instead of the canonical device name. The file should look
like:
target=sda2_crypt,source=UUID=118aad92-4ba2-4834-befa-1c3ff7a75689,key=none
After rebuilding the ramdisk as described above edit the
menu.lst
file to append rootdelay=8
option. A boot record should look like:
title Debian GNU/Linux, kernel 2.6.26-2-686 root (hd0,0) kernel /vmlinuz-2.6.26-2-686 root=/dev/mapper/sda2_crypt ro quiet rootdelay=8 initrd /initrd.img-2.6.26-2-686
After that you should be able to boot your newly created system. The boot system will ask for the passphrase automatically upon boot and is unable to continue unless you have entered the correct passphrase.
I've installed a regular Debian desktop on a USB stick with laptop
features. After executing apt-get clean
there was about
1.2 GB free space on a 4 GB stick. That should be enough for a mobile
system with some data. The larger the stick the more data can be
stored on it, of course.