October 21, 2011

Update: Booten vom verschlüsselten USB-Stick

Filed under: Paranoia — Tags: , , — martin @ 9:02 pm

Also, die Sache mit den USB-Sticks von Lok-IT war sicher eine tolle Idee, das Problem ist aber, daß man de-facto nicht von ihnen booten kann funktioniert.

Grub, Kernel und initrd werden zwar geladen. Leider erfolgt innerhalb der initrd aber scheinbar ein Reset des USB-Systems. Ein normaler USB-Stick holpert da irgendwie drüber (das funktioniert mit /boot auf dem Stick problemlos), aber der Lok-IT sperrt sich sicherheitshalber automatisch.

Das ist schade, aber kein Beinbruch. Das letzte Wort wird da auch hoffentlich noch nicht gesprochen sein.

Es trifft zu, daß der USB-Bus beim Hochfahren zurückgesetzt wird und sich der Stick in diesem Moment aus Selbstschutz sperrt. Das ist aber überhaupt kein Problem. Man muß lediglich in /etc/fstab dafür sorgen, daß das System beim Hochfahren nicht versucht /boot zu mounten oder zu checken. Beide Daumen nach oben für meinen unknackbaren Terrorlaptop! 🙂

Und, nein, es wird kein HOWTO dazu geben. Wer dafür ein Kochrezept braucht, sollte besser die Finger davon lassen.


  1. Hello

    having the same problem here, trying to boot from the device. It resets during the boot process. So how exactly did you fixed it? Thanks in advance

    Comment by liviu — January 18, 2012 @ 10:26 am

    • So your german language skills are a bit rusty? 😉 Just make sure that the system doesn’t try to mount /boot by uncommenting it in /etc/fstab.

      Comment by martin — January 18, 2012 @ 10:50 am

      • I don’t speak german but can use google translate 🙂
        Thanks for the tip but unfortunately I don’t have /boot on a separate partition so that line is not in my /etc/fstab. I have everything on “/” partition.
        Perhaps I should try installing linux again, using a separate /boot partition on the device, removing the line from /etc/fstab like you say?

        After Grub comes up and I select the boot option (from USB), it generates an error like “unable to enumerate USB device on port 1” and the Lok-It device shuts down (led turns off). So I have to unplug it to re-enter PIN and plug it back, then boot process continues. Would love to boot in a smoother manner.

        have a great day!

        Comment by liviu — January 18, 2012 @ 11:32 am

      • You definitely must have /boot on the USB stick and / on disk, yes. /boot can actually be moved by booting from a live CD and chrooting into the installed system, but it’s a process with many steps that requires some self-confidence regarding the linux boot process.

        Comment by martin — January 18, 2012 @ 11:49 am

  2. I do have /boot on the stick, just that it is not a different partition but a folder on the / partition. 🙂

    How does it work for you? You enter PIN -> plug device -> linux boots and that’s it? what linux distribution are you using?

    thanks again

    Comment by liviu — January 18, 2012 @ 11:53 am

    • I’m on Debian and it works just like that: Enter PIN, plug in, power on. While booting, the initrd asks for the LUKS password for the / partition. If you are aiming at the same, remember that you need “dmcrypt” in /etc/initramfs-tools/modules.

      Comment by martin — January 18, 2012 @ 12:06 pm

      • Ok, I see. I tried with Linux Mint. I’ll try debian. I do not plan to use LUKS. Lok-it hw encryption is enough at this moment, just want to get it to work 🙂
        I’ll fire a debian distro on it right away. I’ll try Debian 6

        Comment by liviu — January 18, 2012 @ 12:10 pm

      • The prob is, that in “my” constellation, you only have hw encryption for /boot and need LUKS to encrypt everything else. Mind you that my goal for using the stick was to move /boot away from a place (the harddrive) where an attacker could manipulate it.

        Comment by martin — January 18, 2012 @ 12:17 pm

  3. ooookkk, it’s clearer now I guess.
    So you’re basically mounting the root parition from the HDD and only have the /boot on stick?

    That would work for me too but I want to have the entire linux on stick, hence my problem with the device resetting itself during the boot process, when it tries to mount /

    Comment by liviu — January 18, 2012 @ 12:20 pm

    • If this is what I were to to, I would try to move initrd out of the equation and try moving to a non-initrd system or a monolithic kernel. I don’t know a whole lot about the USB driver system on Linux, though, so it’s possible that even moving away from initrd won’t keep the USB stick from being shot in the head.

      Comment by martin — January 18, 2012 @ 12:33 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply to liviu Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

%d bloggers like this: