Jump to content

Chainloading from a Dongle to an encrypted USB Linux-distro


Recommended Posts


relating on episode 1406 I have some questions about extending the idea of a portable secure linux-distro on an USB thumbdrive.

In this episode it is explained how to set up an encrypted Linux OS.

My idea was to extend the security with kind a dongle system.

In case someone finds the encrypted USB there are still folders on it that aren't encrypted because they are used BEFORE the encryption starts (the whole boot stuff i.e.). I want to seperate that onto another Dongle-Key which is physically seperated from the actual os-USB-drive.

That means that on the encrypted USB drive there is ONLY ENCRYPTED DATA and nothing else. This also will help against attacks on which the boot folder could become changed or the decryption-software is exchanged to a version including kind a keylogger or what ever. The unencrypted part of the USB drive is for sure a vulnerability.

Was it possible to seperate the unencrypted stuff onto another dongle-usb-key which chainloads into the encrypted USB drive? Also the whole encryption/decryption software (including the keys which also have to be stored somewhere?!?!) should be on that dongle USB. Let's assume we are working with USB 3.0 and speed doesn't matter.

How could that function?

Thanks for your input,


Edited by whitenoise
Link to comment
Share on other sites

Sure, it will work. As long as your laptop supports booting from usb, just set it up like normal, put your unencrypted /boot partition on the thumb drive, and everything else on the laptop's encrypted hard drive. I've read somewhere on the internets of a guy doing that with his home NAS. It boots off a thumb drive, which decrypts the data, but the drive is on the end of a usb extension cable, which is then stuck somewhere behind the cabinet the NAS sits on. He figures if someone was to break into his house, they'd just pull all the cables and run with the box, the data would be useless to them. It's actually a pretty good idea.

Link to comment
Share on other sites

​Can someone walk me through this? I have tried for the past two days, to get both Mint 15 and Ubuntu 13.04 to install /boot to an SD Card. I keep getting "grub-install failed" errors. I've done this before with Ubuntu 11.04 when I had Windows on the first partition, but on this fresh disk, I get the error. The SD is fine, GParted can work on it, no problem. I'm stuck.

​As an alternate, can I just copy /sda1 (DD?) to the MicroSD and then delete sda1? I think I'd need to edit fstab, correct?

​Also, anyone know how to change the encryption from AES to Twofish? No alternate .iso's for the latest builds, and 12.04 LTS uses CBC instead of XTS. (lvm2?)

​Thanks guys.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...