Encrypted Manjaro on a Stick

Jan 22

Run Encrypted Manjaro on a Stick

This guide and the resulting USB is intended to run on generic hardware - any 64-bit computer which is capable of booting an USB by using the firmware's boot override.

This guide contains no instructions to install GUI - other guides can be used.

Goals

  1. Basic Encrypted Manjaro on USB stick - verify boot
  2. Hybrid boot - able to boot from BIOS as well as EFI system
  3. Data sharing with other systems using exfat

Prerequisites

  • USB3 device a reasonable size e.g. 64G.
  • A test system configured to allow booting from external media.

First steps

CAUTION

You will be doing the following as root so in case of device names - do double check your devices.

DISCLAIMER: I take no responsibility if you wreck something because you are to quick on the Enter key.

Change user

Open a terminal and login as root.

$ su -l root
Password: 

Through the rest of this article - I will be using a device path of /dev/sdy - replace with your actual device. You can verify which device you are using by removing all USB flash devices. Insert the device you want to use and list your devices. You can recognize the removable device by the number 1 in the RM column.

Prepare the device

We will be using an unencrypted boot partition, so we cannot hide the presence of a Linux system on the device and where it is. Before we do anything we will fill the device using a random pattern. The benefit is that encrypted data cannot be distinguished from the rest of the device.

Start by unmounting your device - using force if necessary.

# umount -f /dev/sdy

Wipe the device (double check device path) using a random pattern.

# dd if=/dev/urandom of=/dev/sdy bs=4M status=progress

Partitions

For this article I am using a 64G SanDisk Extreme.

To be able to exchange unencrypted data without having to boot the USB we will create a partition of 16G. To maximize compatibility we can use VFAT which be read by most systems. VFAT impose a filesize limit of 4G - just so you know.

The intention is to create a hybrid USB capable of booting from a BIOS system as well as an EFI system so we need a special BIOS partition as well.

Create GUID partition table

# sgdisk --mbrtogpt /dev/sdy

Create the bios boot partition

# sgdisk --new 1::+1M --typecode 1:ef02 --change-name 1:"BIOS boot partition" /dev/sdy

Create the EFI system partition

# sgdisk --new 2::+50M --typecode 2:ef00 --change-name 2:"EFI System" /dev/sdy

Create the data partition

# sgdisk --new 3::+16G --typecode 3:0700 --change-name 3:"Microsoft basic data" /dev/sdy

Create grub boot partition

# sgdisk --new 4::+1G --typecode 4:8300 --change-name 4:"Linux filesystem" /dev/sdy

Create root partition

# sgdisk --new 5::: --typecode 5:8300 --change-name 5:"Linux filesystem" /dev/sdy

Create hybrid MBR

Arch Linux documentation

# sgdisk --hybrid 1:2:3 /dev/sdy

Boot flag for data partition

# sgdisk --attributes 3:set:2 /dev/sdy

Clean BIOS partition

# wipefs -af /dev/sdy1

Clean and format EFI partition

# wipefs -af /dev/sdy2
# mkfs.vfat -vF32 /dev/sdy2

Clean and format data partition

# wipefs -af /dev/sdy3
# mkfs.vfat /dev/sdy3

Clean and format grub boot partition

# wipefs -af /dev/sdy4
# mkfs.ext2 /dev/sdy4

Create LUKS container

The larger --iter-time argument used will create a stronger resistance against brute-force but takes longer to decrypt.

# cryptsetup --verbose --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdy5

Confirm and enter passphrase twice and unlock the container (longer password - better encryption)

# cryptsetup open --type luks /dev/sdy5 cryptroot

Create a file system in the container

# mkfs.ext4 /dev/mapper/cryptroot

Mounting

Mount root

# mount /dev/mapper/cryptroot /mnt

Create the /boot folder

# mkdir /mnt/boot

Mount the grub boot partition

# mount /dev/sdy4 /mnt/boot

Create the /boot/efi folder

# mkdir /mnt/boot/efi

And mount the EFI partition

# mount /dev/sdy2 /mnt/boot/efi

Finally create a folder for the data partition

# mkdir /mnt/data

And mount the data partition

# mount /dev/sdy3 /mnt/data

Base installation

# basestrap /mnt base sudo networkmanager linux54 links nano vim grub mkinitcpio bash-completion

Configure system

Create fstab

# fstabgen -U /mnt >> /mnt/etc/fstab

Verify the generated fstab has the expected content - remove references to other devices than your USB device at /dev/sdy (e.g. the host systems swap).

Chroot

# manjaro-chroot /mnt /bin/bash

Hostname

# echo manjaro > /etc/hostname

Edit /etc/hosts

# nano /etc/hosts
127.0.0.1   localhost
::1     localhost
127.0.1.1   manjaro.localdomain   manjaro

Timezone

Example for Denmark

# ln -sf /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
# hwclock --systohc

Network Manager

Enable network connection

# systemctl enable NetworkManager

Enable ntp client

# systemctl enable systemd-timesyncd

Locale

Locale example for Danish locale

  • uncomment en_DK.UTF-8 and en_US.UTF-8

Save file and generate the messages

# nano /etc/locale.gen
# locale-gen

/etc/locale.conf

Locale.conf example for Denmark

# echo LANG=en_DK.UTF-8 > /etc/locale.conf

Root password

# passwd

/etc/mkinitcpio.conf

Add encrypt and block - save the changes

# nano /etc/mkinitcpio.conf
HOOKS="base udev encrypt block keyboard autodetect modconf filesystems fsck"

-- https://wiki.archlinux.org/index.php/Mkinitcpio#Common_hooks

Build initramfs

# mkinitcpio -P

Install grub

EFI

# grub-install --target=x86_64-efi--boot-directory=/boot --efi-directory=/boot/efi --removable --recheck

BIOS

# grub-install --force --target=i386-pc --recheck --boot-directory=/boot /dev/sdy

Fallback

# grub-install --force --target=i386-pc --boot-directory=/boot --recheck /dev/sdy3

Edit grub default

We could use the device naming but in systemd world this naming may not always be the same - not guaranteed to be identical on every boot - so it is highly recommended to use UUID.

To the UUID of the sdy5 partition holding the cryptroot we use lsblk and define the output to be NAME,UUID.

lsblk -o NAME,UUID /dev/sdy5

You will get two UUIDs - the first being the physical partion - the second the cryptroot partition - and it is the UUID of the physical partition we need for grub.

# nano /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxx-yyy-zzzz:cryptroot"

Save the file and create grub config

# grub-mkconfig -o /boot/grub/grub.cfg

Exit your chroot and eject the stick

# sync
# exit
# sync

Moment of truth


Verify the stick is bootable on another system at hand. Login as root.

If you are using a cable verify you have a network connection.

nmcli device show | grep  IP4

If you need to create a wireless connection launch the Network Manager console

$ nmtui

Test your internet connection

$ links manjaro.org

If you cannot make a network connection - wireless Broadcom comes to mind - you need to mount the stick in a chroot and install the necessary drivers and then test it again.

When you have verified the stick works you are ready to continue. What is next is entirely up to you.

IMPORTANT: Never just unplug your device - you will damage the filesystem. Shutdown the system before removing your stick.

Next Post Previous Post