Debian Administration

Encrypted Debian Live USB key

Handling mostly old or problematic hardware and not always having a stable internet connection, I have been struggling to find a live-cd/usb-key system which is slim, easy and fast to customize, fully encryptable and includes the debian network installer.

The great work of the Debian Live team provided me finally with a suitable solution. Debian Live is easily customizable, it shortens the time needed to create an up-to-date version of your own live-system after each customization, it is 100% pure debian, has the possibility to integrate the latest debian-netinstall image and is fully encryptable by default.

Loop-AES encrypted, standard Debian Live in four moves

I reserve about 3 GB disk space for the Debian Live image creation.

1. Install the live helper package

root@host:~# apt-get install live-helper

2. Make a dedicated directory and enter in it

root@host:~# mkdir DebianLive
root@host:~# cd DebianLive

3. Prepare the configuration of the live system

root@host:~/DebianLive# lh_config -b usb-hdd -d lenny -e aes256

4. Create the image

root@host:~/DebianLive# lh_build

This takes quite long, and, if nothing fails, will prompt twice for the encryption password.

The result will be a file called binary.img which you can then copy to a usb-key with dd (remember: dd will erase all data on the whole key! Double-check wherever your usb-key is really in /dev/sda and if you have important data in it!)

root@host:~/DebianLive# dd if=binary.img of=/dev/sda bs=1M

Customization of Debian Live

The lh_config command has plenty of appendable options: man lh_config describes most of them. These options change the default configuration files created in the config/ directory by live-helper, where you could also manually edit the files. There are plenty of possibilities to intervene in the process, but here I will only introduce the most obvious ones.

The lh_config command will create a directory tree, where the some of the notable directories are:

./
|-- config
|   |-- (...)
|   |-- chroot_local-includes
|   |-- chroot_local-packages
|   |-- chroot_local-packageslists
|   |-- (...)
`-- scripts

You can add in here whatever you want to find in your final live system image:

• add single packages (.deb) you want to install in config/chroot_local-packages/


• add lists of packages from the apt repositories in config/chroot_local-packageslists/

  You can make your own or find pre-made lists in /usr/share/live-helper/lists/
  You must then advice live-helper to include your own list: lh_config --packages-lists "my_package_list"

• add your own files in config/chroot_local_includes/
  

  As an example, if you want to add your modified /etc/privoxy/config file, copy it to config/chroot_local-includes/etc/privoxy/config

Note: more experienced users will notice that adding a directory tree in config/chroot_local-includes/ is not a very orthodox way to deal with directories like /home/user/ (I am not mentioning here the significance of /etc/skel/), but in my own experience it meets my requirements.

If the lh_build command fails at some point, lh_clean will clear everything but the config/ and cache/ directories. Anyway, in my experience, most failures at this point are apt-get related. Remember that you will have to run the lh_clean command before creating in a new image a directory structure that has been already used!

About sensitive data

You can either include all your private files, configuration files and secret keys in your Debian Live image or, as I personally prefer, you could store sensitive data (like /home/user/.gnupg/, /home/user/verysecret.txt or even /home/user/.mozilla/firefox/) in a loop-AES (or, depending on the encryption software you prefer, you can always include it in your packages list) encrypted container on the second partition of your usb-key. Later, either adding it manually or writing a script, you can use that sensitive data in your live system:

- syncronize this data between your home computer and the container
- copy your fresh made Debian Live binary image to a usb-key
- copy the encrypted container to the second partition of the usb-key
once you later boot from usb:
- mount the container from within the live-system
- make symbolic links of your sensitive data to the live-system (changes will be stored in your container)

Anyway, if you don't care about encryption, live-helper has an automatic function to store all the changes made in a live-session thanks to the "persistence" option.
Further informations about "persistence" and many more topics of live-helper can be found at the Debian Live homepage, notably in the Debian Live manual and in the Debian Live wiki.

Last but not least, here a very short reminder of some useful lh_config options:

-d lenny   # choose the debian distribution to use [lenny|squeeze|sid]
-b usb-hdd   # define the image type to build [iso|net|tar|usb-hdd]
-e aes256   # encrypt the root filesystem with loop-AES [aes128|aes192|aes256]
--mirror-bootstrap http://192.168.100.1:3142/ftp.de.debian.org/mirror/debian/   # use your own apt-proxy/mirror/cacher
--mirror-chroot http://192.168.100.1:3142/ftp.de.debian.org/mirror/debian/   # use your own apt-proxy/mirror/cacher
--mirror-chroot-security http://192.168.100.1:3142/security.debian.org/   # use your own apt-proxy/mirror/cacher
--mirror-binary http://ftp.de.debian.org/mirror/debian/   # added to the live system's /etc/apt/sources.list
--mirror-binary-security http://security.debian.org/   # added to the live system's /etc/apt/sources.list
--debian-installer enabled   # include the debian network installer in your image
--debian-installer-distribution lenny   # choose the debian installer distribution to use [lenny|squeeze|sid]
--packages-lists "my_package_list"   # install the packages listed in config/chroot_locale-packageslist/my_package_list
--bootstrap-flavour minimal --packages-lists "minimal"  # the minimal flavour image will be about 100MB

Add Comment Printable version

 

<<< Concurrent boot sequence Exim4 SMTP Auth for the Real World >>>