This site is now 100% read-only, and retired.

Encrypted Debian Live USB key

Posted by inputs_marmalade on Fri 6 Mar 2009 at 09:27

Handling mostly old or problematic hardware and not always having a stable internet connection, I have been struggling to find a live-cd/usb-key system which is slim, easy and fast to customize, fully encryptable and includes the debian network installer.

The great work of the Debian Live team provided me finally with a suitable solution. Debian Live is easily customizable, it shortens the time needed to create an up-to-date version of your own live-system after each customization, it is 100% pure debian, has the possibility to integrate the latest debian-netinstall image and is fully encryptable by default.

Loop-AES encrypted, standard Debian Live in four moves

I reserve about 3 GB disk space for the Debian Live image creation.

1. Install the live helper package

root@host:~# apt-get install live-helper

2. Make a dedicated directory and enter in it

root@host:~# mkdir DebianLive
root@host:~# cd DebianLive

3. Prepare the configuration of the live system

root@host:~/DebianLive# lh_config -b usb-hdd -d lenny -e aes256

4. Create the image

root@host:~/DebianLive# lh_build
This takes quite long, and, if nothing fails, will prompt twice for the encryption password.
The result will be a file called binary.img which you can then copy to a usb-key with dd (remember: dd will erase all data on the whole key! Double-check wherever your usb-key is really in /dev/sda and if you have important data in it!)
root@host:~/DebianLive# dd if=binary.img of=/dev/sda bs=1M

Customization of Debian Live

The lh_config command has plenty of appendable options: man lh_config describes most of them. These options change the default configuration files created in the config/ directory by live-helper, where you could also manually edit the files. There are plenty of possibilities to intervene in the process, but here I will only introduce the most obvious ones.

The lh_config command will create a directory tree, where the some of the notable directories are:

|-- config
|   |-- (...)
|   |-- chroot_local-includes
|   |-- chroot_local-packages
|   |-- chroot_local-packageslists
|   |-- (...)
`-- scripts

You can add in here whatever you want to find in your final live system image:

  • add single packages (.deb) you want to install in config/chroot_local-packages/

  • add lists of packages from the apt repositories in config/chroot_local-packageslists/
    You can make your own or find pre-made lists in /usr/share/live-helper/lists/
    You must then advice live-helper to include your own list: lh_config --packages-lists "my_package_list"
  • add your own files in config/chroot_local_includes/
    As an example, if you want to add your modified /etc/privoxy/config file, copy it to config/chroot_local-includes/etc/privoxy/config
Note: more experienced users will notice that adding a directory tree in config/chroot_local-includes/ is not a very orthodox way to deal with directories like /home/user/ (I am not mentioning here the significance of /etc/skel/), but in my own experience it meets my requirements.

If the lh_build command fails at some point, lh_clean will clear everything but the config/ and cache/ directories. Anyway, in my experience, most failures at this point are apt-get related. Remember that you will have to run the lh_clean command before creating in a new image a directory structure that has been already used!

About sensitive data

You can either include all your private files, configuration files and secret keys in your Debian Live image or, as I personally prefer, you could store sensitive data (like /home/user/.gnupg/, /home/user/verysecret.txt or even /home/user/.mozilla/firefox/) in a loop-AES (or, depending on the encryption software you prefer, you can always include it in your packages list) encrypted container on the second partition of your usb-key. Later, either adding it manually or writing a script, you can use that sensitive data in your live system:

- syncronize this data between your home computer and the container
- copy your fresh made Debian Live binary image to a usb-key
- copy the encrypted container to the second partition of the usb-key
once you later boot from usb:
- mount the container from within the live-system
- make symbolic links of your sensitive data to the live-system (changes will be stored in your container)

Anyway, if you don't care about encryption, live-helper has an automatic function to store all the changes made in a live-session thanks to the "persistence" option.
Further informations about "persistence" and many more topics of live-helper can be found at the Debian Live homepage, notably in the Debian Live manual and in the Debian Live wiki.

Last but not least, here a very short reminder of some useful lh_config options:

-d lenny   # choose the debian distribution to use [lenny|squeeze|sid]
-b usb-hdd   # define the image type to build [iso|net|tar|usb-hdd]
-e aes256   # encrypt the root filesystem with loop-AES [aes128|aes192|aes256]
--mirror-bootstrap   # use your own apt-proxy/mirror/cacher
--mirror-chroot   # use your own apt-proxy/mirror/cacher
--mirror-chroot-security   # use your own apt-proxy/mirror/cacher
--mirror-binary   # added to the live system's /etc/apt/sources.list
--mirror-binary-security   # added to the live system's /etc/apt/sources.list
--debian-installer enabled   # include the debian network installer in your image
--debian-installer-distribution lenny   # choose the debian installer distribution to use [lenny|squeeze|sid]
--packages-lists "my_package_list"   # install the packages listed in config/chroot_locale-packageslist/my_package_list
--bootstrap-flavour minimal --packages-lists "minimal"  # the minimal flavour image will be about 100MB



Re: Encrypted Debian Live USB key
Posted by Anonymous (85.130.xx.xx) on Fri 6 Mar 2009 at 17:55
I use live-magic ;)

Enjoy :)

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by Anonymous (118.136.xx.xx) on Sun 8 Mar 2009 at 12:17
can you tell me, how to change the passphrase on my liveUSB??


[ Parent ]

Re: Encrypted Debian Live USB key
Posted by inputs_marmalade (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Sun 8 Mar 2009 at 20:03
You can't change the password of a live usb image! Just make another binary image, which shouldn't be a problem if you already did it once!

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by Anonymous (118.136.xx.xx) on Wed 11 Mar 2009 at 00:58
if i have made once and i want to change the passphrase from the inside of the live system, can i do that and can you tell me how??


[ Parent ]

Re: Encrypted Debian Live USB key
Posted by inputs_marmalade (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Wed 11 Mar 2009 at 20:40
No, you can't change the passphrase of the live system itself from inside the live system! Once the live-system image has been done, it is encrypted with the passphrase you provide and the whole thing is stored as a squashfs read-only container.
But the good thing is: you can have a new Debian Live image in a reasonable time. The way I do it, is to keep a copy of the things I have added to the "chroot_local" directories listed in the article, and I made myself a .txt file to remember the large "lh_config" command. Have a look: ing
Doing like this, it's only some cut'n'paste: keep a copy of the things you add in an ordered place, and you'll be able to have a new Debian Live image with a new passphrase in an hour (CPU running 1.4GHz), but with up-to-date software in it.
In my opinion, the whole good thing about Debian Live is exactly that it is faster to make a new up-to-date image than anything else I know: each time you'll add/remove something so that each time it will be more likely to be the image you really need.

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by Anonymous (164.53.xx.xx) on Tue 10 Mar 2009 at 00:43

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by Anonymous (85.87.xx.xx) on Sun 15 Mar 2009 at 03:27
Very userful howto

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by suspended user goumba (24.164.xx.xx) on Tue 24 Mar 2009 at 18:13
Great work.

Is there any way to control what architecture the image is built for? My desktop is a lowly P4 with not enough hard disk space to even install Debian (family too used to Windows). My two Debian laptops are PowerPC and AMD64 based. The computers at work are mixed x64 and amd64. I think most beneficial to me would be an image with x86 binaries, but I have no available system to do so. Is there some way to ocnfigure lh to build an image with x86 binaries on a system with a different arhcitecture?

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by inputs_marmalade (89.180.xx.xx) on Wed 25 Mar 2009 at 11:30
Though the lh_config command has an architecture option ( -architechture ), it is intended for a live image with a double flavour kernel, like 486 and 686. I suppose it is not possible to issue an image on a machine with a different architecture without using an emulator. In your scenario, maybe the simplest thing to do is making your own live system from inside a standard live-cd/usb. You can download standard Debian Live images from the Debian Live homepage. Once you started from CD/usb on a x86 machine, install live-helper. You could even use the hard-disk of the x86 machine, although I don't know if the lack of filesystem permissions of ntfs and vfat could be problematic.
Good luck and have fun!

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by leseb (82.228.xx.xx) on Wed 27 Jan 2010 at 14:54
Hi all,
An error as occured on boot
I wrote my key and i took this error:

LOOP_SET_STATUS: Invalid argument, requested cipher or key length (256 bits) not supported by kernel

Anyone can help me ?


[ Parent ]

Re: Encrypted Debian Live USB key
Posted by Anonymous (174.56.xx.xx) on Mon 27 Dec 2010 at 05:00
Can anyone breakdown the exact steps needed to create the AES loop on the second container / partition? I understand why the steps listed in the article are needed and work but am not sure how to accomplish these steps in practice...

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by inputs_marmalade (79.145.xx.xx) on Wed 29 Dec 2010 at 15:46
Here a link about loop-aes container creation: d_volumes

Make a container, mount it, fill it with your supersecret files, unmount it and copy the container to the usb key!

Same thing with dm-crypt, look in the "Encrypted image file" section of this article:

If that's too complicated you can try using Truecrypt (which, unfortunately, is not GPL software) but has a simple user interface...

Good luck!

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by Anonymous (110.39.xx.xx) on Sat 10 Dec 2011 at 14:58
hy... i have created the iso file...but whn i tested it it asks for login and password..n idon't know bout that coz i didnt mentioned any login or password in binary file....anyone can help on this issue how to change login password as i could not found login password fields in binary file or any other file thanks...

[ Parent ]

Re: Encrypted Debian Live USB key
Posted by Anonymous (188.77.xx.xx) on Tue 20 Dec 2011 at 11:28
There's an option you can set from the command line:

--username live-user

look in the manual page of the debian live package!

[ Parent ]