Difficulty: ★★☆☆☆
Manjaro-To-Go LXDE with persistence
Original guide at USB LXDE with persistence | root.nix.dk
This guide is different than the usual guides I write - the purpose of this is to give any of you a serious tool in case of displacement due to war, evacuation due to natural disasters, riots, ban on religious practice etc. You can also use the stick at home for your occasional secure computing - you can have a normal computer in home - and when necessary you can boot the stick - do what you need to do, e.g. keeping it up-to-date - shut it down and hide it for what ever prying eyes - governments, gangs, rebels, thieves - may force their way into your home.
With escalating instability of the world around us - the escalating impact human actions has on our environment - the ever increasing possibilities of having to evacuate - many of us have emergency kits - sleeping bags, food supplies and water - ready to go - we sometimes forget our most vital belongings - the documents that defines us, our origin, our marriage, our children, photos of our relatives, photos of our passports, electronic copies of birth- and marriage certificates, our real-estate documents, proof of ownership for various items we carry - these invaluable documents we don’t want others to get their hands on. Many of us values the Bible over everything and would want to have a copy - even an electronic copy - with us.
We can’t rely on having a computer with us if we need to evacuate but we can rely on - should the need rise - that we can get access to a computer. But we cannot trust others with the stick - they could just copy the documents off the stick - we cannot trust a computer we have not booted to be clean - no keylogger, malware - we cannot trust it to be able to decrypt our data. The Xorg set of display drivers works with recent hardware - but due to the fast development of graphics hardware and though I expect it to work - obviously I cannot make any guarantee.
So this is - in my opinion - the ultimate guide to have a Linux in your pocket - an encrypted Linux - for storage of your personal documents.
What is this about
I will demonstrate how to create a portable encrypted system using an USB device and the most minimal graphical environment possible using Manjaro.
CAUTION
You will be doing the following as root so in case of device names - do double check your devices.
IMPORTANT: Never just unplug your device - you will damage the filesystem. If plugged into another operating system use the system file manager’s eject method or ensure device data has been sync’d using the sync command. Then use umount to safely remove the device.
DISCLAIMER: I take no responsibility if you wreck something because you are to quick on the Enter key.
Let us begin
Change user
Open a terminal and login as root.
$ su -l root
Password:
Locating your device
Through the rest of this article - I will be using a device path of /dev/sdy - replace with your actual device. You can verify which device you are using by removing all USB flash devices. Insert the device you want to use and list your devices. You can recognize the removable device by the number 1 in the RM column.
Prepare the device
We will be using an unencrypted boot partition, so we cannot hide the presence of a Linux system on the device and where it is. Before we do anything we will fill the device using a random pattern. The benefit is that encrypted data cannot be distinguished from the rest of the device.
Start by unmounting your device - using force if necessary.
umount -f /dev/sdy
Wipe the device (double check device path) using a random pattern.
dd if=/dev/urandom of=/dev/sdy bs=4M status=progress
Partitions
You can use stick of your choice - you have to adjust the partition sizes accordingly.
For this article I am using a 64G SanDisk Extreme. To be able to exchange unencrypted data without having to boot the USB we will create a partition of 16G. To maximize compatibility we use exFAT which will be readable by most systems.
The intention is to create a hybrid USB capable of booting from a BIOS system as well as an EFI system so we need a special BIOS partition as well.
Create GUID partition table
sgdisk --mbrtogpt /dev/sdy
Create the bios boot partition
sgdisk --new 1::+1M --typecode 1:ef02 --change-name 1:"BIOS boot partition" /dev/sdy
Create the EFI system partition
sgdisk --new 2::+50M --typecode 2:ef00 --change-name 2:"EFI System" /dev/sdy
Create the data partition
sgdisk --new 3::+16G --typecode 3:0700 --change-name 3:"Microsoft basic data" /dev/sdy
Create grub boot partition
sgdisk --new 4::+1G --typecode 4:8300 --change-name 4:"Linux filesystem" /dev/sdy
Create root partition
sgdisk --new 5::: --typecode 5:8300 --change-name 5:"Linux filesystem" /dev/sdy
Create hybrid MBR
sgdisk --hybrid 1:2:3 /dev/sdy
Boot flag for data partition
sgdisk --attributes 3:set:2 /dev/sdy
Clean BIOS partition
wipefs -af /dev/sdy1
Clean and format EFI partition
wipefs -af /dev/sdy2
FAT32
mkfs.vfat -vF32 /dev/sdy2
Clean and format data partition
wipefs -af /dev/sdy3
exFAT
mkfs.exfat /dev/sdy3
Clean and format grub boot partition
wipefs -af /dev/sdy4
ext2
mkfs.ext2 /dev/sdy4
Create LUKS container
The larger --iter-time argument used will create a stronger resistance against brute-force but takes longer to decrypt.
- Example 1
cryptsetup --verbose --hash sha256 --iter-time 2000 --use-random luksFormat /dev/sdy5 - Example 2
cryptsetup --verbose --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdy5
Confirm and enter passphrase twice and unlock the container (longer password - better encryption)
cryptsetup open --type luks /dev/sdy5 cryptroot
Create an ext4 file system in the container
mkfs.ext4 /dev/mapper/cryptroot
Mounting
Mount root
mount /dev/mapper/cryptroot /mnt
Create the /boot folder
mkdir /mnt/boot
Mount the grub boot partition
mount /dev/sdy4 /mnt/boot
Create the /boot/efi folder
mkdir /mnt/boot/efi
And mount the EFI partition
mount /dev/sdy2 /mnt/boot/efi
Finally create a folder for the data partition
mkdir /mnt/data
And mount the data partition
mount /dev/sdy3 /mnt/data
Base installation
Replace $LINUX with the kernel of your choice.
e.g. linux515
basestrap /mnt base sudo networkmanager $LINUX links nano vim grub mkinitcpio bash-completion broadcom-wl ipw2100-fw
Configure system
Create fstab
fstabgen -U /mnt >> /mnt/etc/fstab
Verify the generated fstab has the expected content - remove references to devices which is not your USB /dev/sdy (e.g. the host systems swap - is often added).
Chroot
manjaro-chroot /mnt /bin/bash
Console keyboard
Example for Denmark
echo LANG=dk > /etc/vconsole.conf
Hostname
echo manjaro > /etc/hostname
Edit /etc/hosts
nano /etc/hosts
127.0.0.1 localhost
::1 localhost
127.0.1.1 manjaro.localdomain manjaro
Timezone
Example for Denmark
ln -sf /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
hwclock --systohc
Network Manager
Enable network connection
systemctl enable NetworkManager
Enable ntp client
systemctl enable systemd-timesyncd
Locale
Locale example for Danish locale
- uncomment en_DK.UTF-8 and en_US.UTF-8
Save file and generate the message table
nano /etc/locale.gen
locale-gen
/etc/locale.conf
Locale.conf example for Denmark
echo LANG=en_DK.UTF-8 > /etc/locale.conf
Root password
This is important - if you don’t set it you will not be able to login as root - so the other option is to create a user with admin before rebooting. Pick a good password and do not reuse your luks key
passwd
/etc/mkinitcpio.conf
Add encrypt and block - the order is important - then save the changes
# nano /etc/mkinitcpio.confHOOKS="base udev encrypt block keyboard autodetect modconf filesystems fsck"
Build initramfs
mkinitcpio -P
Install grub
EFI
grub-install --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --removable --recheck
BIOS
grub-install --force --target=i386-pc --recheck --boot-directory=/boot /dev/sdy
Fallback
grub-install --force --target=i386-pc --boot-directory=/boot --recheck /dev/sdy3
Edit grub default
We could use the device naming but in systemd world this naming may not always be the same - not guaranteed to be identical on every boot - so it is highly recommended to use UUID.
To the UUID of the sdy5 partition holding the cryptroot we use lsblk and define the output to be NAME,UUID.
lsblk -o NAME,UUID /dev/sdy5
You will get two UUIDs - the first being the physical partion - the second the cryptroot partition - and it is the UUID of the physical partition we need for grub.
# nano /etc/default/grubGRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxx-yyy-zzzz:cryptroot"
Save the file and create grub config
grub-mkconfig -o /boot/grub/grub.cfg
USB specific considerations
Because we are using USB we know repeating writes is not healthy in the long run.
Switch journal configuration to use RAM and ensure the journal is not filling up the RAM.
nano /etc/systemd/journald.conf
Modify to include this and save the file
Storage=volatile
SystemMaxUse=16M
Edit your fstab and edit the options to include the noatime option. This will prevent writing to the filesystem every time a file changes which can be a lot.
nano /etc/fstab
Append to the options list like this - and save the file
# <file system> <mount point> <type> <options> <dump> <pass>
UUID=sample-uuid / ext4 defaults,noatime 0 1
Exit your chroot and eject the stick
sync
exit
cryptsetup close /dev/mapper/cryptroot
sync
Moment of truth
Verify the stick is bootable on another system at hand. Login as root.
If you are using a cable verify you have a network connection.
nmcli device show | grep IP4
If you need to create a wireless connection launch the Network Manager console
nmtui
Test your internet connection
links manjaro.org
If you cannot make a network connection - various Broadcom and RALink based devices comes to mind - you need to mount the stick in a chroot and install the necessary drivers and then test it again.
Installing minimal GUI
The best GUI for this use case is LXDE. It is based on Openbox window manager and is well known for it’s stability.
Xorg and drivers
sudo pacman -Syu xorg-server xorg-server-common xorg-xinit xf86-video-amdgpu xf86-video-ati xf86-video-intel xf86-video-nouveau xf86-video-vesa xf86-input-libinput xf86-input-evdev
LXDE
LXDE can be installed using the a meta package so for this writeup it is the lxde package also adding some packages to make our life easier.
sudo pacman -Syu lxde epdfview accountsservice gnome-keyring gnome-icon-theme gnome-icons-standard perl-file-mimeinfo xdg-user-dirs xdg-user-dirs-gtk xdg-utils
Spicing LXDE
sudo pacman -Syu lxde-wallpapers manjaro-lxde-config manjaro-lxde-desktop-settings manjor-lxde-logout-banner matcha-gtk-theme manjaro-openbox-matcha papirus-icon-theme papirus-maia-icon-theme ttf-dejavu ttf-roboto xcursor-breeze
Network utilities
sudo pacman -Syu netctl ifplugd iw wpa_supplicant dialog network-manager-applet networkmanager-openvpn
User
The reasoning creating the user lastly is the theming packages. Those packages are installed to /etc/skel and used as skeleton when creating new users.
Choose a username and replace $USERNAME below with the chosen username
useradd -mUG lp,network,power,sys,wheel $USERNAME
Allow members of wheel group to perform administrative tasks
Run visudo
visudo
Locate the line reading # %wheel ALL=(ALL) ALL and remove the # in the beginning of the line
%wheel ALL=(ALL) ALL
And press EscShiftzz
Logout from the root session
exit
Start X
Login with the new username and launch X
startx
Remember to shut the system down - don’t remove the stick while it is running 
Revisions
- 2021-05-10T14:45:00Z removed obsolete packages from basestrap