You are not logged in.

#1 2016-06-08 08:09:25

kuroshi
Member
Registered: 2016-06-08
Posts: 7

Install Boot partition and grub on Flash

Hello
I have a computer with Linux installed encrypted with LUKS
What i want to do is to reinstall but the boot partiton (aka /boot ) to reside on an USB flash drive
Also can i install GRUB on the USB too.
The rest of the partitions i want to stay on an encrypted LVM on an internal hard drive.

On short I want a computer encrypted
1) on the physical HDD of a laptop to encrypt an LVM drive whithout /boot
2) /boot and grub to reside on USB Memory Flash

3 I have a UEFI compliant computer so where should I put the uefi partition (making a gtp schema )


It is possible  what i want ?
On the internet i did not find anything about that but only how to install a full  persistent  os on USB.

My thoughts a following
Normal install but put bot on /dev/sdb format mkfs.vfat  si flag as boot
/dev/sda being internal hdd with / /home inside an crypt LVM

I hope i made me understood


For notice . I fully installed arch and gentoo so i am used with command line install I dont want line by line command but what deviate from a typical install (setting boot and uefi on a dif drive )

Offline

#2 2016-06-08 12:30:05

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: Install Boot partition and grub on Flash

Yes it is possible, i'm writing it from an arch computer setup like so.
You want to look into the remote header option of LUKS, it ensures that on your internal harddrive there is nothing but random data and no hint for an encrypted partition.
https://wiki.archlinux.org/index.php/Dm … UKS_header
The remote header file header.img will be located on the USB stick, on the /boot partition.

You can make /boot and the UEFI System Partition the same partition, it is convenient.
So create an UEFI System Partition on the USB stick, which must be big enough to also hold /boot. My one is 512 MB.

You can use crypttab.initramfs to make the initramfs find your LUKS container, and unlock it with the remote header.

CryptGroup PARTUUID=12345 - luks,header=/boot/header.img

This will name the LVM group "CryptGroup".

You have to use systemd in the initramfs to use crypttab.initramfs, and the following hooks

HOOKS="systemd autodetect modconf block sd-vconsole keyboard sd-encrypt sd-lvm2 filesystems fsck"

The bootloader needs this root option to find the root LVM volume, called "rootvol" here

root=/dev/CryptGroup/rootvol

Some other hints, which will be useful later:
- Don't put /boot in your fstab, you want to remove the USB stick after booting.
- When you upgrade with pacman, you must insert the USB stick and mount /boot.
- Use this pacman hook to ensure /boot is mounted https://github.com/andrewgregory/pachoo … -boot.hook

Last edited by teateawhy (2016-06-08 12:34:20)

Offline

#3 2016-06-08 13:28:13

kuroshi
Member
Registered: 2016-06-08
Posts: 7

Re: Install Boot partition and grub on Flash

thanks mate.
I will try this weekend,
I wanted to eliminate the risk of having sensitive data be seen. My first thought was to make an entire USB drive a persistent OS and then have the hdd encrypted but it was a bit strange so i came with this idea of splitting boot and the rest Boot unencrypted on stick and and the rest on an encrypted drive . LUKS and LVM was an option. So even the HDD is removed it cannot be read (easily).
So if it works for you will work for me too

Offline

Board footer

Powered by FluxBB