February 19, 2008

Running Debian GNU/Linux from an encrypted USB drive

Author: Avi Rozen

You're probably familiar with the live CD concept -- a fully functional operating system on a CD that can be run on any computer that boots from its optical drive, without affecting the one(s) already installed. In a similar vein, you can set up Linux to run from a USB hard drive drive on any computer that can boot from USB. The live system offers automatic detection and configuration of the display adapter and screen, storage devices, and other peripherals. A bootable USB drive can run a mainstream Linux distribution such as Debian GNU/Linux, and can be secured, personalised, upgraded, and otherwise modified to suit your needs.

To try setting up a bootable USB drive, you need a computer with an Internet connection, an optical drive to boot from, and a free USB 2.0 port, to which the external USB drive should be connected. We shall employ the standard install procedure for the testing version of Debian, a.k.a. Lenny, with some minor tweaks in order make the system "live."

Download the current netinst CD image for Debian Lenny, burn it to a CD, and boot the computer with it. You'll be greeted by the Debian logo. Press Enter at the boot prompt to start the text mode Debian-Installer, or launch the graphical Debian-Installer by typing installgui at the boot prompt.

When the installer asks you to select a partitioning method, select "Guided - use entire disk and setup encrypted LVM." Shortly after that you'll be asked to select a disk to be partitioned. Be careful here -- you do not want to select the internal hard disk. The external disk will be listed as a SCSI device, and it will not be the first device on the list.

You will then be asked to specify the partitioning scheme. Select "All files in one partition (recommended for new users)." The installer will ask for your confirmation before it erases the contents of the selected disk. This process is required before encryption, and may take a long time to complete (roughly two hours per 100GB). After that, the installer will prompt for an encryption passphrase, and then continue with the normal installation procedure.

At the last stretch of the installation, after all the required packages have been downloaded from the Internet and installed, you'll get the chance to install the GRUB boot loader. The installer is likely to suggest that GRUB should be installed on the internal disk, in order to achieve a dual boot configuration. You must instead install GRUB to the external disk.

Finally, the installer will attempt to reboot into your new system, but this step will fail until you make a few changes:

  • You must configure the computer BIOS to enable the option to boot from a USB device. The procedure differs depending on what BIOS your system uses, but it's usually easy to figure out.
  • GRUB sees the boot partition on the USB disk as the first partition of the first disk. The installer, however, treated the internal disk as the first disk. You need to edit grub/menu.lst to change the GRUB root to be (hd0,0) instead of something like (hd1,0). Fix the root line in every menu stanza and on the line that starts with # groot=.
  • The kernel may attempt to access the encrypted partition before the USB subsystem makes it available, causing the boot process to fail. Add rootdelay=10 to the kernel command line in every menu stanza in grub/menu.lst and at the line starting with # kopt=.

Following these fixes you should be able to boot the computer with the USB disk. In the process you'll be prompted for a passphrase to unlock the encrypted partition.

Going live

The system installed is already almost "live" in the sense that most hardware devices are automatically detected and configured during the boot process. However, some issues still remain to be resolved before you can take the USB disk to another computer.

The first issue to tackle is disk drive identification. The device path of the USB disk (e.g. /dev/sda if it came up as the first SCSI device) is hardwired by the installer into the crypt options inside the initial RAM file system (initrd image), the static encrypted file system list /etc/crypttab, and the file system table /etc/fstab. This is fine as long as the USB disk is mapped to the same device path as the one it was mapped to during the installation. However, the device path is liable to be different on another computer, or even on the same computer if, for example, another USB disk is attached.

You can get around this potential problem by referring to the partitions using their Universally Unique Identifiers (UUID), which you can determine by running the following command:

# ls -l /dev/disk/by-uuid
lrwxrwxrwx 1 root root 10 2008-01-15 22:34 0897f48a-462d-4ec5-9ef1-a60574fa1182 -> ../../sda5
lrwxrwxrwx 1 root root 10 2008-01-15 22:34 de018d5f-4dbc-4ed6-9724-4d5c793658aa -> ../../sda1

In this example, any reference in /etc/crypttab and /etc/fstab to /dev/sda1 and /dev/sda5 should be replaced with UUID=de018d5f-4dbc-4ed6-9724-4d5c793658aa and UUID=0897f48a-462d-4ec5-9ef1-a60574fa1182, respectively.

Once you've made changes to /etc/crypttab, you should run update-initramfs -t -u in order to fix the initrd image.

The other main problem is with the X server (i.e. the windowing system). It is configured during the installation process, and the setup is saved to the file /etc/X11/xorg.conf. If the hardware involved (display adapter, screen, keyboard, pointing device, etc.) is modified, you need to reconfigure the X server by running as root the command dpkg-reconfigure xserver-xorg.

It would be nice to avoid this when switching from one computer to the other. One option is to remove the file /etc/X11/xorg.conf so as to force the X server to autoconfigure itself. I had little luck with this approach, so I added the following at the end of the do_start function (just before the closing brace) in /etc/init.d/bootmisc.sh:

dpkg-reconfigure -fnoninteractive xserver-xorg

This should work as long as autodetection was selected for the display adapter and screen during the last time the X server was reconfigured interactively (such as during the installation process). This method also preserves the user's preferences for keyboard layouts.

You may experience problems in other areas, such as networking, but otherwise this setup should work as is on most machines.


It only took a straightforward install and minor modifications to a few files to get create a bootable live encrypted external hard drive. While the specific instructions above are bound to become stale as Linux, Debian, encryption standards, and computer hardware all evolve, I think it's safe to predict that setting up a bootable USB drive is bound to become even simpler in the future.


  • System Administration
  • Desktop Software
  • Desktop Hardware
Click Here!