8

I will create a bootable Ubuntu USB flash disk and I want to know if it's possible to encrypt this usb flash disk with LUKS, so when I boot it to run linux, before entering my user password it asks for the password to decrypt the whole flash disk

  1. boot usb
  2. decrypt password
  3. user password
  4. logged in.

Please note it has to be live loaded to the ram each time I start the OS, I don't want to install on an external usb drive. Thanks in advance!

p.s If it's impossible can I leave ./boot unencrypted and encrypt the filesystem with all the system directories

Mohamed Farouk
  • 302
  • I don't think that's possible. For starting, you need the usb to boot, which needs to access files in the device, but can't because it's encrypted. What you can do is encrypt a partition where you can place your data. – schrodingerscatcuriosity Jul 31 '19 at 14:56
  • 1
    can I encrypt whole data without ./boot folder by Luks ? @guillermochamorro – Mohamed Farouk Jul 31 '19 at 14:59
  • @MohamedFarouk Yes, you can and the installation process is the same, just selecting the USB as the target but otherwise no different than installing in an internal drive. Of course, you need to boot the installer from other USB. I think you can't do that for a more portable live or live with persistence. –  Jul 31 '19 at 16:47
  • @Mohamed Farouk: FULL DISK ENCRYPTION see https://askubuntu.com/questions/590431/full-disk-encryption-home-folder-encryption-needed-wouldnt-full-disk-encrypt/1086016#1086016 Caution, disable internal HDD before proceeding. – C.S.Cameron Jul 31 '19 at 17:06
  • @C.S.Cameron I need it live not installed – Mohamed Farouk Aug 01 '19 at 09:09
  • Why do you need to have the base system encrypted? I would create 2 partitions: 1 for base system as is and a 2nd for personal files. You can encrypt the 2nd afterwards. – Rinzwind Aug 01 '19 at 09:14
  • @Rinzwind I need to encrypt the filesystem itself in order to avoid anyone messing with the os itself. If I leave the system un-encrypted and only encrypt my personal files, an attacker who has physical access to the drive might alter the system files and install a keylogger. – Mohamed Farouk Aug 01 '19 at 09:25
  • 1
    I would stop with this attempt: Encryption is not the answer to prevent keyloggers.As soon as you insert the USB in a foreign system that system can install that keylogger.Heck,it can extract every file from your USB without you noticing. If you don't trust a system don't insert an USB into it. And don't put information on that USB. Whenever I come back from China -all my hardware is destroyed-That is the only 100% working method.Encryption is only good for preventing thieves to get to data.It does not help against theft from a computer that is set up as malicious where you stick your USB into – Rinzwind Aug 01 '19 at 09:48
  • @Rinzwind Thanks a lot for helping :) I understand your point. Keylogger was only an example but it's not the only reason. How would someone be able to steal data from my encypted drive if they can't even get in or install anything inside my system. the Drive won't even work for them. Even if we assume the existence of hardware keylogging, I'm not saying I'm inserting my flash drive in a computer that I don't trust, but If someone steals the drive they won"t be able to access it. – Mohamed Farouk Aug 01 '19 at 10:11
  • @Rinzwind Here's a possible scenario: I use the flash drive to boot my live system daily on my computer that I trust, someone steals the drive for 30 mins, alter the filesystem and put it back in my computer without me noticing, now when I start my system, I will be using the altered system without even knowing. That's the scenario I'm looking to prevent. What I'm trying to know here is "how to create an encrypted live system to protect the os from being altered".I already have an ecnrypted partition to store my files as you first suggested, but I want to protect the filesystem as well. – Mohamed Farouk Aug 01 '19 at 10:12
  • If you clone Ubuntu from the iso file to a USB drive you will get a live-only system with a read-only file system (ISO 9660). This might be tampered with during a session, but after reboot you will have the original system. But it also means that you cannot save any files, that survive a reboot. If you want more security than Ubuntu and other main linux distros provide, please consider Tails – sudodus Aug 01 '19 at 10:13
  • @sudodus thanks for your reply. AFAIK the read-only state applies to me when I use the drive as os drive. But if the drive is instered in a foreign computer the drive can be still accessed and the main filesystem could be altered. – Mohamed Farouk Aug 01 '19 at 10:16
  • Yes, but you should notice if it is no longer the same but another version of operating system. The alternative to have an 'installed' system in the USB drive and have that system encrypted is already suggested. – sudodus Aug 01 '19 at 10:18
  • @sudodus How can I know if it is the same exact linux version but only with a few lines of malicious code insterted somewhere in the os files. – Mohamed Farouk Aug 01 '19 at 10:19
  • 2
    "But if the drive is inserted in a foreign computer the drive can be still accessed and the main filesystem could be altered" And encryption is not going to prevent that. As soon as you unencrypt the USB it can be changed. It is mounted into the system and the admin can do ANYTHING with the USB. You would also need a checksum to see if someone tampered with the USB. edit: ha, answerd your q before you asked it ;-) Where a checksum does not mean files can not be extracted from the USB. A checksum only shows if things got added or removed. – Rinzwind Aug 01 '19 at 10:20
  • With checksums as suggested by Rinzwind. – sudodus Aug 01 '19 at 10:22
  • @Rinzwind , the idea of a checksum seems nice, but it's time consuming to do a checksum everytime I want to use the drive. Also I don't see the mechanism to ask the flash drive to do the checksum on itself before booting the live linux distro stored on it. "As soon as you unencrypt the USB it can be changed. It is mounted into the system and the admin can do ANYTHING with the USB." Yes I understand, but I will be the only one capable of decrypting it. – Mohamed Farouk Aug 01 '19 at 10:38
  • With the idea I'm trying to achive if it's inserted in a foreign system just as secondary drive. They can format it (which is fine for me), but they can't alter the filesystem since they can't access it without decrypting it, and they won't have the decryption key – Mohamed Farouk Aug 01 '19 at 10:38
  • A Full install to USB can have Full Disk Encryption so that only the Boot partition is left Unencrypted. https://askubuntu.com/questions/1085982/does-the-full-disk-encryption-in-the-ubuntu-18-04-installer-encrypt-all-partitio/1086011#1086011 – C.S.Cameron Aug 07 '19 at 17:26
  • @C.S.Cameron that's not the answer of my question please read my question carefully – Mohamed Farouk Aug 07 '19 at 19:49
  • It is my understanding that you can not encrypt the system partition on a Live or Persistent Live install. Prior to 18.04 it was possible to encrypt the home directory of a persistent drive. A Full install to USB has many benefits. – C.S.Cameron Aug 08 '19 at 00:58
  • @MohamedFarouk Have you found a solution? I'm also looking into this, I would appreciate any helpful info. – Light Flow Nov 09 '23 at 14:42

1 Answers1

1

This is impossible since if the boot volume is encrypted the BIOS / UEFI will be unable to execute the boot sector / boot application.

What you can do though is use the Ubuntu Live Installer to install Ubuntu onto another USB stick as the system disk, with LUKS encryption. The drawback will be that you lose the ability to hibernate because Ubiquity currently creates much too small swap partitions, and also randomizes the encryption key at every start, which obliterates the state of the swap partition.

In the second scenario you will have the boot partition unencrypted, so it can still be tampered with, ie a keylogger could be written into it. You can get around that by signing the boot volume and using Secure Boot, but then you have to talk Microsoft into signing your boot volume or giving you a signing key. Good luck with that.

If you really are worried about keyloggers, then carry your own PC, do not use wireless keyboard/mouse, enable secure boot, boot a LiveCD image which doesn't preserve any state whatsoever, use a VPN to connect a VNC/RDP client over SSL to the machine you actually keep your state with, use a strong, memorable password that you never record anywhere (see https://xkcd.com/936/ for an understanding of what this means.)

That will protect you from physical access, it will protect you from remote access, and it will save you from brute-force. It will be inconvenient since you won't always have network access, you will always have to carry the hardware with you, and you will not be able to get good value from the hardware you are carrying since you're only using it as a thin client, disregarding its additional memory / processing / storage capabilities.

Even all of this won't protect you from a CCTV camera locked on your keyboard while you type, so you will also need to be aware of your surroundings.

It may also run you up a significant mobile data bill.

So unless you really are a very exceptionally fat, juicy target that's likely to be targeted by people who are prepared to invest the resources to hack you, I think you're better off just avoiding using public internet terminals, carrying your own inexpensive device, securing it with LUKS, using a VPN or at least TORBrowser to guarantee your browsing isn't being spied on. Then your biggest worry should be whether you leave your device somewhere and it gets stolen, but no worry over whether they have access to your data.

Wil
  • 805