Debian Live USB stick with persistent storage and encryption

Debian Live USB stick with persistent storage and encryption

For some time now I wanted a Debian Live USB stick on which changes are permanently saved. In the end I decided to use a Sandisk USB stick with USB3 and 128 GB.

I downloaded the iso file of Kali Linux with all data (about 14 GB) and flashed it to the USB stick with Balena Etcher under Windows 11. Kali Linux is based on Debian.

I then used another Debian Live operating system on another USB stick to boot and, after the boot process was complete, connected the new USB stick with Kali Linux

In this combination, the new USB stick will usually be sdb, while the other live system is on sda. This can be checked with:

lsblk

Once the drive letter has been recognized, you can start using the free space on the stick (replace sdX). The following commands format the free space on the USB stick, encrypt the partition and activate persistence. As previously mentioned, the X must be replaced with the correct drive letter – otherwise there is a risk of data loss!

sudo fdisk /dev/sdX <<< $(printf "p\nn\np\n\n\n\np\nw")
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdX3
sudo cryptsetup luksOpen /dev/sdX3 my_usb
sudo mkfs.ext4 -L persistence /dev/mapper/my_usb
sudo mkdir -pv /mnt/my_usb
sudo mount -v /dev/mapper/my_usb /mnt/my_usb
echo "/ union" | sudo tee /mnt/my_usb/persistence.conf
sudo umount -v /mnt/my_usb
sudo cryptsetup luksClose /dev/mapper/my_usb

You can then reboot, remove the old stick and boot from the new USB stick:

No WLAN under Kali Linux

The WLAN icon is not automatically displayed in the top right-hand corner, even if the appropriate drivers are already available. The first WLAN network should therefore be added manually via the Advanced Network Manager. It is therefore usually NOT necessary to install drivers or other packages from insecure sources.

Increase PIM for cryptsetup or time for key verification

If you want to make it even more “secure”, you can increase the time for the key check and use the following commands instead. The difference here is only in the specified iter time. However, CryptSetup under Linux does not have a PIM like VeraCrypt.

sudo fdisk /dev/sdX <<< $(printf "p\nn\np\n\n\n\np\nw")
sudo cryptsetup --verbose --verify-passphrase --iter-time 60000 luksFormat /dev/sdX3
sudo cryptsetup luksOpen /dev/sdX3 my_usb
sudo mkfs.ext4 -L persistence /dev/mapper/my_usb
sudo mkdir -pv /mnt/my_usb
sudo mount -v /dev/mapper/my_usb /mnt/my_usb
echo "/ union" | sudo tee /mnt/my_usb/persistence.conf
sudo umount -v /mnt/my_usb
sudo cryptsetup luksClose /dev/mapper/my_usb

Change iterations or password later

Of course, this can also be done later after a reboot (into the live system with persistence):

sudo cryptsetup luksChangeKey /dev/sdX3 --iter-time 60000

This command increases the password as well as the time for the key check to about 60000 ms.

Leave a Reply

Your email address will not be published. Required fields are marked *