How can I create an encrypted, bootable thumbdrive containing Linux?

Question

I want to have a bootable flash drive that's fully encrypted. I have not tested, but seem to like, TrueCrypt, which provides a fully encrypted system and has lots of other features I like (for instance, hidden volumes). Unfortunately, it seems, system encryption is only supported for Windows, although I'm not sure why.

The crux here, I guess, is that you need a boot loader that is capable of asking for your password and decrypt the disk, at least the part that contains kernel and initrd.

An alternative might be to have an unencrypted boot partition containing a more powerful system which will decrypt and mount the main partition. However, this brings up the question of whether you're introducing data leaks. Depending on the specific scenario, I may lack the experience to assess if this is a problem. So I'd strongly prefer a fully encrypted disk or a similarly straightforward alternative.

Answer 1

If I'd have to give you an answer right now without googling for this issue, then my solution would be: put any Linux distribution with vmware on the drive, within that distribution keep your other Linux hard drive encrypted and just decrypt that on boot and start it using vmware.

A few issues this might bring. The flash disk might be too slow to run a virtual machine on, or you might have insufficient space. I think this should run on a normal external hard drive though. But I guess this is rather far fetched

What are you really trying to reach though? If you're just trying to keep some files safe, a few simple chmods might solve the problem? (I assume it's pretty safe). Hope I can help you further.

Answer 2

Another option: use

• a (non-bootable) encrypted thumbdrive
• a read-only boot drive (non-encrypted)

The read-only boot drive can be a "LiveCD" CDROM (not a CDRW), a thumb drive with the switch in the "read-only" position, a SD card with the switch in the "read-only" position, etc.

Because the boot drive is read-only, you can be sure that no sensitive data is accidentally leaked onto a non-encrypted partition.

Answer 3

Fedora can do an encrypted install, and if you pass expert to the installer then it will let you install onto removable media. The only caveat is that /boot will need to be unencrypted so that the computer can read it for booting.

Answer 4

Check out Privatix. It's a Debian-based distro, actually just a tweaked version of the Debian LiveCD. It should give you some ideas. There's not a lot of documentation available on it, but it's simple enough to install and poke around a bit.

Answer 5

Encrypted 20.04 Full Install USB that Boots BIOS and UEFI Modes

Ubuntu 20.04 makes full disk encryption easy.

• Unplug HDD

• Boot Live USB in BIOS/Legacy mode, insert Target drive.

• Start Install Ubuntu 20.04 LTS.

• Select Language, Keyboard, Wireless, Normal Installation, Install third Party... .

• At Installation type Tag "Erase disk and install Ubuntu" and then select "Advanced features". Click "Use LVM with the new Ubuntu installation" and then "Encrypt the new Ubuntu installation for security".

• Choose a security key. Overwrite empty disk space if inclined.

• Select Country, then User name and Password.

• When Installation completes the drive will boot encrypted in BIOS mode.

• Open the 20.04 ISO file and copy boot and ESP folders to partition 1.

• Copy grub.cfg from Partition 5 /boot/grub/ to Partition 1 /boot/grub/ overwriting the existing grub.cfg.

• Re-Install GRUB:

  sudo mount /dev/sdx1 /mnt
sudo grub-install --boot-directory=/mnt/boot /dev/sdx

• Encrypted Full install USB should now be working in BIOS and UEFI modes.