Friday, April 3, 2009

Running Ubuntu 8.04 LTS from an Encrypted USB Drive

A live HDD is a complete mainstream OS, installed on an external USB disk drive of the rotating platter variety. It can be personalized, updated and modified like any desktop installation, with one very important difference: you can use it to boot any PC that can boot from USB (thus earning the title "live").

I've setup such a beast (running Debian) more than a year ago, and, until recently, have used it as a laptop alternative. I think it's neat.

Recently, I've set up a live HDD based on Ubuntu 8.04 LTS. I assumed, erroneously, that it wouldn't be too difficult - after all, Ubuntu is based on Debian, and installing Debian on a live HDD is almost as easy as installing it on a regular desktop PC.

Small print:
  • don't try this on a USB flash memory based disk ("thumb-drive", "disk-on-key") - these devices require special tweaking/distro to make the OS as read-only as possible
  • some USB hard disk drives may also be unsuitable for this because they startup too slowly during powerup for the computer's BIOS to recognize and boot from them. I had this problem with my Western Digital Elements. YMMV.
  • setting up a live HDD requires a working PC with operational USB, networking and optical drive, in order to run the OS installer.
  • please, please, please backup the PC you use for setting up the live HDD, just in case you make a mistake and find yourself installing the OS on the host PC instead.

The installation procedure is tiresome, yet straightforward:
  1. start installing Ubuntu using the alternate install CD, with the external USB disk connected to the computer
  2. select the guided encrypted LVM partitioning option
  3. IMPORTANT: make sure you format the external disk and not any internal disk on the PC being used for running the installer
  4. IMPORTANT: write down the device name of the external disk - you'll need this later
  5. continue the installation until the installer asks you if you want to install GRUB on the internal disk
  6. IMPORTANT: you MUST decline the installer's suggestion
  7. the installer will ask for a destination disk onto which you want GRUB installed: supply the device name you've recorded previously
  8. complete the installation - but don't attempt to boot into your new system yet!
  9. boot the PC with a live CD and mount the external disk (or do that on another PC)
  10. apply a few tweaks to grub/menu.lst on the first (non-encrypted) partition of the disk:
    • modify, if needed, the grub root device like this:
      # groot=(hd0,0)
      (do not remove the comment marker #)
    • add the string rootdelay=10 to the line that starts with # kopt=, and to each line that starts with kernel
    • one last thing: place this file somewhere on this partition - you'll need it soon...
    (in my original live HDD article, a few more files had to be modified, but these modifications are not needed anymore)
  11. reboot the PC, enter the BIOS setup screen and configure it to boot from the USB disk (on some PCs the disk is recognized as another hard-disk, so you can simply select it as the device to boot from)
  12. if this was a Debian installation you'd be done, but it's not - the boot process will most likely fail, with an error message saying that the root partition has not been found, and you'll end up in a shell with (initramfs) command prompt
    • type the following commands to continue the boot process:
      cryptsetup luksOpen /dev/disk/by-uuid/d1a9df24-b5c1-4ea2-985a-2f0fa3655fc2 sda5_crypt
      (replace the UUID and the volume identifier with the ones reported by the error message you got - the volume identifier matches the device path of the disk during installation)
    • this should get you into your new system, open a terminal and type the following commands to fix the system:
      sudo su -
      cd /
      patch -p0 < /path/to/live-hdd-ubuntu-8.04.2.patch
      update-initramfs -u
    • reboot

The patch file live-hdd-ubuntu-8.04.2.patch is the one that you've downloaded earlier and placed on the non-encrypted partition of the disk.

The patch fixes the following files:
  • /usr/share/initramfs-tools/init from the initramfs-tools package
  • /usr/share/initramfs-tools/scripts/init-premount/udev from the udev package
The fix makes these initialization scripts behave as in Debian, where the system waits for the USB device to settle down before attempting to access it, when the rootdelay parameter is specified at the kernel command line (this seems to be a manifestation of Ubuntu bug #213279).

That's all folks - enjoy your freedom (COUGH).

No comments:

Post a Comment