Skip navigation

The Debian Project

Howto install Debian encryptedly on a USB stick

This is an extension to Howto install Debian on a USB stick. Filesystem options apply to an encrypted system as well. If you are unable to add these options during installation you can always alter /etc/fstab later.

The installation of Debian on an encrypted USB stick is very easy. Starting with Debian GNU/Linux 5.0 alias lenny the installation automatically supports encrypted LUKS containers that contain swap space and the root filesystem.

Hence, selecting the option "Guided - use entire disk and set up encrypted LVM" as target will create a /boot partition of 255MB size and use the remaining space on the stick as encrypted LUKS container for swap and the root filesystem.

After booting the new system the initial ramdisk will ask for the password to unlock the encrypted container and continue with the system boot process. After adding the rootdelay parameter to GRUB you will be able to boot into your new system.

A problem arises however, when Linux numbers your stick differently than during the installation. In that case the initial ramdisk cannot unlock the proper container and the system cannot be bootet further.

You'll need an existing GNU/Linux system to rebuild the inital ramdisk so that the proper container can be unlocked. Mount the /boot partition (probably /dev/sdb1) of your USB stick and extract the initial ramdisk for inspection:

  sudo mount /dev/sdb1 /mnt
  mkdir /tmp/initrd
  cd /tmp/initrd
  zcat /mnt/initrd.img-2.6.26-2-686 | cpio -i

The file /conf/conf.d/cryptroot contains the mapping between encrypted containers and filesystems. The file looks like:

  target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-root
  target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-swap_1

You'll need to adjust the encrypted device names to use UUID as well. The blkid program will help you find out the proper id. After your adjustments the file should look like:

  target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-root
  target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-swap_1

After these adjustments the initial ramdisk needs to be rebuilt and installed in /boot again:

  cd /tmp/initrd
  find . | cpio -R 0:0 --reproducible -o -H newc | gzip> ../initrd.img
  sudo cp ../initrd.img /mnt/initrd.img-2.6.26-2-686

Custom disk layout

USB sticks tend to be too small for what they are needed. Therefore it is a good idea to save as much space as possible. You don't need 256 MB for /boot for example. 64 MB space is sufficient for two kernels and initrd. Since USB sticks also tend to be slow for write accesses their usefullness as swap device is highly questionable. To have some more space for your GNU/Linux system, you may want to skip the swap partition as well.

Select "Manual" in the partitioner and clean remov all partitions from the USB stick. Next create your boot partition of the size you prefer and select ext2 as filesystem. Don't forget the noatime and relatime options.

The next step is to create the encrypted container for your root filesystem. Create another partition on your stick but don't assign a filesystem to it. Select "Physical volume for encryption" instead. Then switch back to the partition menu.

Now select "Configure encrypted volumnes" and prepare the new partition. You should be prepared to enter a long passphrase to protect the encrypted container. Wiping the disk before will take a while. Use it to generate a good passphrase. After the container has been created an ext3 filesystem is built upon it. You can switch to ext2 and select filesystem options later. The filesystem will be rebuilt afterwards.

The rest of the installation is as usual. Select the meta packages you'd like to install and install GRUB in the master boot record. Booting the system after reboot might not work, so you'll need an existing GNU/Linux system to alter the initial ramdisk.

Find out the UUID of the partition hosting the encrypted container and adjust the config file /conf/conf.d/cryptroot to use the UUID instead of the canonical device name. The file should look like:

  target=sda2_crypt,source=UUID=118aad92-4ba2-4834-befa-1c3ff7a75689,key=none

After rebuilding the ramdisk as described above edit the menu.lst file to append rootdelay=8 option. A boot record should look like:

  title           Debian GNU/Linux, kernel 2.6.26-2-686
  root            (hd0,0)
  kernel          /vmlinuz-2.6.26-2-686 root=/dev/mapper/sda2_crypt ro quiet rootdelay=8
  initrd          /initrd.img-2.6.26-2-686

After that you should be able to boot your newly created system. The boot system will ask for the passphrase automatically upon boot and is unable to continue unless you have entered the correct passphrase.

I've installed a regular Debian desktop on a USB stick with laptop features. After executing apt-get clean there was about 1.2 GB free space on a 4 GB stick. That should be enough for a mobile system with some data. The larger the stick the more data can be stored on it, of course.

© Infodrom Oldenburg  Datenschutz, page source history
Last modified: November 13, 2019