[root tip] Manjaro-To-Go LXDE with persistance

Difficulty: ★★☆☆☆

Manjaro-To-Go LXDE with persistence

This guide is different than the usual guides I write - the purpose of this is to give any of you a serious tool in case of displacement due to war, evacuation due to natural disasters, riots, ban on religious practice etc. You can also use the stick at home for your occasional secure computing - you can have a normal computer in home - and when necessary you can boot the stick - do what you need to do, e.g. keeping it up-to-date - shut it down and hide it for what ever prying eyes - governments, gangs, rebels, thieves - may force their way into your home.

With escalating instability of the world around us - the escalating impact human actions has on our environment - the ever increasing possibilities of having to evacuate - many of us have emergency kits - sleeping bags, food supplies and water - ready to go - we sometimes forget our most vital belongings - the documents that defines us, our origin, our marriage, our children, photos of our relatives, photos of our passports, electronic copies of birth- and marriage certificates, our real-estate documents, proof of ownership for various items we carry - these invaluable documents we don’t want others to get their hands on. Many of us values the Bible over everything and would want to have a copy - even an electronic copy - with us.

We can’t rely on having a computer with us if we need to evacuate but we can rely on - should the need rise - that we can get access to a computer. But we cannot trust others with the stick - they could just copy the documents off the stick - we cannot trust a computer we have not booted to be clean - no keylogger, malware - we cannot trust it to be able to decrypt our data. The Xorg set of display drivers works with recent hardware - but due to the fast development of graphics hardware and though I expect it to work - obviously I cannot make any guarantee.

So this is - in my opinion - the ultimate guide to have a Linux in your pocket - an encrypted Linux - for storage of your personal documents.

What is this about

I will demonstrate how to create a portable encrypted system using an USB device and the most minimal graphical environment possible using Manjaro.

CAUTION

You will be doing the following as root so in case of device names - do double check your devices.

IMPORTANT: Never just unplug your device - you will damage the filesystem. If plugged into another operating system use the system file manager’s eject method or ensure device data has been sync’d using the sync command. Then use umount to safely remove the device.

DISCLAIMER: I take no responsibility if you wreck something because you are to quick on the Enter key.

Let us begin

Change user

Open a terminal and login as root.

$ su -l root
Password: 

Locating your device

Through the rest of this article - I will be using a device path of /dev/sdy - replace with your actual device. You can verify which device you are using by removing all USB flash devices. Insert the device you want to use and list your devices. You can recognize the removable device by the number 1 in the RM column.

Prepare the device

We will be using an unencrypted boot partition, so we cannot hide the presence of a Linux system on the device and where it is. Before we do anything we will fill the device using a random pattern. The benefit is that encrypted data cannot be distinguished from the rest of the device.

Start by unmounting your device - using force if necessary.

# umount -f /dev/sdy

Wipe the device (double check device path) using a random pattern.

# dd if=/dev/urandom of=/dev/sdy bs=4M status=progress

Partitions

For this article I am using a 64G SanDisk Extreme. To be able to exchange unencrypted data without having to boot the USB we will create a partition of 16G. To maximize compatibility we can use exFAT which be read by most systems.

The intention is to create a hybrid USB capable of booting from a BIOS system as well as an EFI system so we need a special BIOS partition as well.

Create GUID partition table

# sgdisk --mbrtogpt /dev/sdy

Create the bios boot partition

# sgdisk --new 1::+1M --typecode 1:ef02 --change-name 1:"BIOS boot partition" /dev/sdy

Create the EFI system partition

# sgdisk --new 2::+50M --typecode 2:ef00 --change-name 2:"EFI System" /dev/sdy

Create the data partition

# sgdisk --new 3::+16G --typecode 3:0700 --change-name 3:"Microsoft basic data" /dev/sdy

Create grub boot partition

# sgdisk --new 4::+1G --typecode 4:8300 --change-name 4:"Linux filesystem" /dev/sdy

Create root partition

# sgdisk --new 5::: --typecode 5:8300 --change-name 5:"Linux filesystem" /dev/sdy

Create hybrid MBR

Arch Linux documentation

# sgdisk --hybrid 1:2:3 /dev/sdy

Boot flag for data partition

# sgdisk --attributes 3:set:2 /dev/sdy

Clean BIOS partition

# wipefs -af /dev/sdy1

Clean and format EFI partition

# wipefs -af /dev/sdy2

FAT32

# mkfs.vfat -vF32 /dev/sdy2

Clean and format data partition

# wipefs -af /dev/sdy3

exFAT

# mkfs.exfat /dev/sdy3

Clean and format grub boot partition

# wipefs -af /dev/sdy4

ext2

# mkfs.ext2 /dev/sdy4

Create LUKS container

The larger --iter-time argument used will create a stronger resistance against brute-force but takes longer to decrypt.
Example 1

# cryptsetup --verbose --hash sha256 --iter-time 2000 --use-random luksFormat /dev/sdy5

Example 2

# cryptsetup --verbose --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdy5

Confirm and enter passphrase twice and unlock the container (longer password - better encryption)

# cryptsetup open --type luks /dev/sdy5 cryptroot

Create an ext4 file system in the container

# mkfs.ext4 /dev/mapper/cryptroot

Mounting

Mount root

# mount /dev/mapper/cryptroot /mnt

Create the /boot folder

# mkdir /mnt/boot

Mount the grub boot partition

# mount /dev/sdy4 /mnt/boot

Create the /boot/efi folder

# mkdir /mnt/boot/efi

And mount the EFI partition

# mount /dev/sdy2 /mnt/boot/efi

Finally create a folder for the data partition

# mkdir /mnt/data

And mount the data partition

# mount /dev/sdy3 /mnt/data

Base installation

Replace $LINUX with the kernel of your choice.

e.g. linux58 - linux-latest or linux-lts

# basestrap /mnt base sudo networkmanager $LINUX links nano vim grub mkinitcpio bash-completion broadcom-wl ipw2100-fw ipw2200 iwlwifi

Configure system

Create fstab

# fstabgen -U /mnt >> /mnt/etc/fstab

Verify the generated fstab has the expected content - remove references to devices which is not your USB /dev/sdy (e.g. the host systems swap - is often added).

Chroot

# manjaro-chroot /mnt /bin/bash

Console keyboard

Example for Denmark

# echo LANG=dk > /etc/vconsole.conf

Hostname

# echo manjaro > /etc/hostname

Edit /etc/hosts

# nano /etc/hosts
127.0.0.1   localhost
::1     localhost
127.0.1.1   manjaro.localdomain   manjaro

Timezone

Example for Denmark

# ln -sf /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
# hwclock --systohc

Network Manager

Enable network connection

# systemctl enable NetworkManager

Enable ntp client

# systemctl enable systemd-timesyncd

Locale

Locale example for Danish locale

  • uncomment en_DK.UTF-8 and en_US.UTF-8

Save file and generate the message table

# nano /etc/locale.gen
# locale-gen

/etc/locale.conf

Locale.conf example for Denmark

# echo LANG=en_DK.UTF-8 > /etc/locale.conf

Root password

# passwd

/etc/mkinitcpio.conf

Add encrypt and block - the order is important - then save the changes

# nano /etc/mkinitcpio.conf
HOOKS="base udev encrypt block keyboard autodetect modconf filesystems fsck"

mkinitcpio - ArchWiki

Build initramfs

# mkinitcpio -P

Install grub

EFI

# grub-install --target=x86_64-efi--boot-directory=/boot --efi-directory=/boot/efi --removable --recheck

BIOS

# grub-install --force --target=i386-pc --recheck --boot-directory=/boot /dev/sdy

Fallback

# grub-install --force --target=i386-pc --boot-directory=/boot --recheck /dev/sdy3

Edit grub default

We could use the device naming but in systemd world this naming may not always be the same - not guaranteed to be identical on every boot - so it is highly recommended to use UUID.

To the UUID of the sdy5 partition holding the cryptroot we use lsblk and define the output to be NAME,UUID.

lsblk -o NAME,UUID /dev/sdy5

You will get two UUIDs - the first being the physical partion - the second the cryptroot partition - and it is the UUID of the physical partition we need for grub.

# nano /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxx-yyy-zzzz:cryptroot"

Save the file and create grub config

# grub-mkconfig -o /boot/grub/grub.cfg

Save the file and create grub config

# grub-mkconfig -o /boot/grub/grub.cfg

USB specific considerations

Because we are using USB we know repeating writes is not healthy in the long run.

Switch journal configuration to use RAM and ensure the journal is not filling up the RAM.

# nano /etc/systemd/journald.conf

Modify to include this and save the file

Storage=volatile
SystemMaxUse=16M

Edit your fstab and edit the options to include the noatime option. This will prevent writing to the filesystem every time a file changes which can be a lot.

# nano /etc/fstab

Append to the options list like this - and save the file

# <file system>   <mount point>  <type>  <options>  <dump>  <pass>
UUID=sample-uuid   /              ext4    defaults,noatime 0 1

Exit your chroot and eject the stick

# sync
# exit
# sync

Moment of truth


Verify the stick is bootable on another system at hand. Login as root.

If you are using a cable verify you have a network connection.

nmcli device show | grep  IP4

If you need to create a wireless connection launch the Network Manager console

$ nmtui

Test your internet connection

$ links manjaro.org

If you cannot make a network connection - wireless Broadcom comes to mind - you need to mount the stick in a chroot and install the necessary drivers and then test it again.

Installing minimal GUI


The best GUI for this use case is LXDE. It is based on Openbox window manager and is well known for it’s stability.

Xorg and drivers

sudo pacman -Syu xorg-server xorg-server-common xorg-xinit xf86-video-amdgpu xf86-video-ati xf86-video-intel xf86-video-nouveau xf86-video-vesa xf86-input-libinput xf86-input-evdev

LXDE

LXDE can be installed using the a meta package so for this writeup it is the lxde package also adding some packages to make our life easier.

sudo pacman -Syu lxde epdfview accountsservice gnome-keyring gnome-icon-theme gnome-icons-standard perl-file-mimeinfo xdg-user-dirs xdg-user-dirs-gtk xdg-utils

Spicing LXDE

sudo pacman -Syu lxde-wallpapers manjaro-lxde-config manjaro-lxde-desktop-settings manjor-lxde-logout-banner matcha-gtk-theme manjaro-openbox-matcha papirus-icon-theme papirus-maia-icon-theme ttf-dejavu ttf-roboto xcursor-breeze

Network utilities

sudo pacman -Syu netctl ifplugd iw wpa_supplicant dialog network-manager-applet networkmanager-openvpn

User


The reasoning creating the user lastly is the theming packages. Those packages are installed to /etc/skel and used as skeleton when creating new users.

Choose a username and replace $USERNAME below with the chosen username

# useradd -mUG lp,network,power,sys,wheel $USERNAME

Allow members of wheel group to perform administrative tasks

Run visudo

# visudo

Locate the line reading # %wheel ALL=(ALL) ALL and remove the # in the beginning of the line

%wheel ALL=(ALL) ALL

And press EscShiftzz

Logout from the root session

# exit

Start X


Login with the new username and launch X

$ startx

Remember to shut the system down - don’t remove the stick while it is running :slight_smile:

11 Likes

reserved