Debian on a USB stick
Modern live boot usb stick
- 1st Partiton: Size: 200 MB - Use As: EFI Partition (no other options will be available once this is chosen, it will be set to FAT32 and mounted at /boot/efi)
- 2nd Partition: Size: 1 GB - Use As: Ext4 - Mount point: "/boot" (static files)
- 3rd Partition: Size: remaining free space - Use As: Physical Volume for Encryption
(done)
- Scroll up to "configure encrypted volumes" > write changes, then "create encrypted volumes."
- Select "partition" > "finish"
- Create your encryption password
- Scroll to "encrypted volume" and select the partition listed beneath to edit it.
- Set mount point to "/" (root) > done setting up partition
- Finish partitioning and write changes to disk (finally! But wait, there's more!!)
- The installer will ask if you want to return to create a swap partition. Select "no"
- Write changes. This will commence the actual installation.
install EFI
cryptsetup luksOpen /dev/sda3 mnt mount /dev/mapper/mnt /mnt && mount /dev/sda2 /mnt/boot && mount /dev/sda1 /mnt/boot/efi mount --bind /dev /mnt/dev && mount --bind /dev/pts /mnt/dev/pts && mount --bind /proc /mnt/proc && mount --bind /sys /mnt/sys chroot /mnt grub-install --target=x86_64-efi /dev/sda grub-install --recheck /dev/sda exit umount /mnt/sys && umount /mnt/proc && umount /mnt/dev/pts && umount /mnt/dev && umount /mnt
try and reduce writes to root
add the following lines to /etc/fstab
tmpfs /tmp tmpfs nosuid,nodev 0 0 tmpfs /var/log tmpfs nosuid,nodev 0 0 tmpfs /var/tmp tmpfs nosuid,nodev 0 0 tmpfs /var/log/journal tmpfs nosuid,nodev 0 0 tmpfs /var/log/gdm3 tmpfs nosuid,nodev 0 0
old
The same principles can be used to create a minimal debian install without encryption.
This is similar in size yet more up to date than DSL.
http://feraga.com/project/deb2flash
note use --help for options - has single partition unencrypted, two partitions, one encrypted...
historic info - useful if feraga is down
Content from Feraga with some minor tweeks for testing - lenny
apt-get install cryptsetup dmsetup parted debootstrap grub sda1 unencrypted boot partion sda2 root filesystem mkfs.ext2 /dev/sda1 tune2fs -c0 -i0 /dev/sda1 # optionally turn off filesystem checks cryptsetup luksFormat /dev/sda2 Note YES in captials cryptsetup luksOpen /dev/sda2 rootfs mkfs.ext2 /dev/mapper/rootfs tune2fs -c0 -i0 /dev/mapper/rootfs # optionally turn off filesystem checks mkdir /mnt/buildroot mount -t ext2 /dev/mapper/rootfs /mnt/buildroot mkdir /mnt/buildroot/boot mount /dev/sda1 /mnt/buildroot/boot debootstrap --arch i386 lenny /mnt/buildroot mount -o bind /dev/ /mnt/buildroot/dev mount -o bind /dev/pts /mnt/buildroot/dev/pts mount -o bind /sys /mnt/buildroot/sys /lib/udev/vol_id -u /dev/sda1 /lib/udev/vol_id -u /dev/sda2 chroot /mnt/buildroot /bin/su -l
Create /etc/fstab with the below:
#/etc/fstab: static file system information. # /dev/mapper/rootfs / ext2 defaults,errors=remount-ro,noatime 0 1 UUID=<uuid for sda1> /boot ext2 defaults,noatime,ro 0 1 none /proc proc defaults 0 0 tmpfs /tmp tmpfs defaults,noatime 0 0 tmpfs /var/lock tmpfs defaults,noatime 0 0 tmpfs /var/log tmpfs defaults,noatime 0 0 tmpfs /var/run tmpfs defaults,noatime 0 0
/etc/apt/apt.conf.d/30remount_readwrite
DPkg { Pre-Invoke { "mount -o remount,rw /boot;" } Post-Invoke { "mount -o remount,ro /boot;" } }
mount -a
Change flash to your hostname:
/etc/hosts
127.0.0.1 localhost.localdoman localhost flash
/etc/hostname
flash
/etc/apt/sources.list
deb http://ftp.debian.org/debian sid main non-free contrib
create script for log directory structure:
/etc/rcS.d/S37feraga-init.sh.
#!/bin/sh case "$1" in start) echo echo "Feraga" echo "-Recreating required subdirectories on /var/log (tmpfs)" # /var/log subdirectories. mkdir -p /var/log/fsck mkdir -p /var/log/ksymoops mkdir -p /var/log/news # Example for the mixmaster anonymous remailer if [ -f /usr/bin/mixmaster ] ; then mkdir -p /var/log/mixmaster fi # Example for the Tor proxy if [ -f /usr/sbin/tor ] ; then mkdir -p /var/log/tor fi # Example for Privoxy if [ -f /usr/sbin/privoxy ] ; then mkdir -p /var/log/privoxy fi # Apt archive subdirectories. mkdir -p /var/cache/apt/archives/partial echo "-done." echo ;; stop) echo "Feraga shutting down." # Add anything that needs to happen at shutdown here. echo ;; *) echo "Usage: cryptdisks {start|stop}" exit 1 ;; esac
apt-get update apt-get install initramfs-tools <pre> usbcore ehci-hcd ohci-hcd uhci-hcd usbhid ide-core scsi_mod usb-storage mbcache ext2 ide-cd ide-disk ide-generic sd_mod
Configure /etc/initramfs-tools/initramfs.conf
# initramfs.conf # Configuration file for mkinitramfs(8). See initramfs.conf(5). MODULES=most BUSYBOX=y BOOT=local DEVICE=eth0 NFSROOT=auto
apt-get install cryptsetup dmsetup hashalot cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/ cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/
/etc/crypttab: replace the <uuid for sda2> with your uuid
# <target name> <source device> <key file> <options> rootfs /dev/disk/by-uuid/<uuid for sda2> none luks
edit /etc/initramfs-tools/scripts/local-top/cryptroot to allow for USB detection.
modprobe -q dm_crypt ## After this line add the following. # Add delay message "Sleeping for 5 seconds to allow USB detection." sleep 5 message "Awake, attempting to mount encrypted partitions."
in chroot shell
mount -o remount,rw /boot apt-get install grub
Next from outside the chroot:
grub-install --recheck --root-directory=/mnt/buildroot /dev/sda
/boot/grub/menu.lst and add this simplified configuration:
# default num default 0 # timeout sec timeout 5 # pretty colours color green/black black/green ### BEGIN AUTOMAGIC KERNELS LIST ## ## Start Default Options ## # kopt=root=/dev/mapper/rootfs ro\n") # groot=(hd0,0) # alternative=true # lockalternative=false # defoptions= # lockold=false # howmany=all # memtest86=true # updatedefaultentry=false ## ## End Default Options ## ### END DEBIAN AUTOMAGIC KERNELS LIST
grub root (hd1,0) setup (hd1) quit rm -f /boot/grub/device.map
/etc/kernel-img.conf
do_symlinks = yes relative_links = yes do_bootloader = no do_bootfloppy = no do_initrd = yes ## <--- Verify this line link_in_boot = yes postinst_hook = /sbin/update-grub postrm_hook = /sbin/update-grub
apt-get install linux-image-686
apt-get remove linux-image-686
apt-get clean
passwd
umount -a
to update the scripts in initramfs:
update-initramfs -u