|
|
@@ -0,0 +1,69 @@ |
|
|
This guide shows how to install debian so that it can be booted and run from a USB drive on a MacBook Air. I use this to store a copy of my PGP master keypair. Networking is deliberately not configured and all operations requiring the master keypair (such as signing other people's keys) are done only on this system. See [the debian wiki][1] for information on how to separate your key. Note that this is slightly different to using a live CD. It is not possible to tailor the base configuration of a live CD to one's own requirements, and they frequently automatically connect to the nearest local network. Nevertheless, if you wish to use a live CD instead, I recommend [Tails][2]. Arturo Filastò has written [a similar guide for Tails][3]. |
|
|
|
|
|
[1]: https://wiki.debian.org/Subkeys |
|
|
[2]: https://tails.boum.org |
|
|
[3]: https://github.com/hellais/TAILS-OSX |
|
|
|
|
|
The method I use requires [VirtualBox][4], which should also contain a working debian installation itself. An alternative method would be to use [debootstrap][5] but I won't go into that here. Part of the difficulty that some people have with this setup is that modern Macs require UEFI-compatible USB drives to boot from. |
|
|
|
|
|
[4]: https://www.virtualbox.org |
|
|
|
|
|
|
|
|
## Install the base debian system |
|
|
|
|
|
The first step is to create a new VirtualBox machine. However, do not add a virtual hard drive to it. Instead, put the [debian installation ISO][5] into the "CD drive" of the VM. Put the USB drive into your Mac and enable it on the VM (Settings > Ports > USB > USB Device Filters). Start the VM, and install debian. A few notes: |
|
|
|
|
|
[5]: https://www.debian.org/distrib/netinst |
|
|
|
|
|
When it comes to partitioning the drive, I use manual partitioning. I create four partitions: |
|
|
|
|
|
- 100MB bootable FAT32 partition mounted at /boot/efi |
|
|
- 10GB non-bootable ext2 partition mounted at / |
|
|
- 2 x 1GB partitions which are non-bootable, not mounted, and not formatted until later |
|
|
|
|
|
Also, don't install a bootloader (this is done later). |
|
|
|
|
|
|
|
|
## Making it bootable |
|
|
|
|
|
When the installation is done, boot up a VM containing a running debian installation and insert the USB drive making sure to pass it through to the VM. I'm going to assume that it is on `sdb`; if you are not sure then check the output of the kernel buffer at the point at which you insert it (`dmesg | tail`). Mount the new USB drive along with a few parts of the existing running VM and chroot into it: |
|
|
|
|
|
% mkdir /mnt/sdb2 && mount /dev/sdb2 /mnt/sdb2 |
|
|
% mkdir /mnt/sdb2/boot/efi && mount /dev/sdb1 /mnt/sdb2/boot/efi |
|
|
% for x in /dev /dev/pts /proc /sys; do |
|
|
> mount -B $x /mnt/sdb2$x |
|
|
> done |
|
|
% chroot /mnt/sdb2 |
|
|
|
|
|
Install GRUB2 and copy the bootloader to where the MacBook expects to find it: |
|
|
|
|
|
% apt-get update |
|
|
% apt-get install grub-efi-amd64 |
|
|
% grub-install /dev/sdb |
|
|
% mkdir /boot/efi/EFI/boot |
|
|
% cp /boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/boot/bootx64.efi |
|
|
% update-grub |
|
|
|
|
|
Whilst you are in the chroot jail and connected to the internet, you can install any other software you think you might need before exiting and unmounting: |
|
|
|
|
|
% apt-get install sudo vim cryptsetup |
|
|
% exit |
|
|
% for x in /dev/pts /dev /proc /sys /boot/efi / ; do |
|
|
> umount /mnt/sdb2$x |
|
|
> done |
|
|
|
|
|
And that should be everything. When you reboot your Mac to test this, don't forget to hold down the Option key at startup to boot from USB. |
|
|
|
|
|
|
|
|
## Creating an encrypted partition |
|
|
|
|
|
Although I physically secure the USB drive and it is not connected to the internet, it's not quite secure enough. Whilst I would certainly revoke the key if it were stolen, I'd want the reassurance that the thief is nevertheless unlikely to get their hands on the master keypair without effort beyond that warranted for someone with nothing terribly exciting to hide. Also, this stops it from being "borrowed" without me noticing. |
|
|
|
|
|
This is where those last two partitions come into play. I encrypt `sdb3` using dm-crypt and format `sdb4` as a FAT32 partition for ferrying data to and from the USB drive: |
|
|
|
|
|
% cryptsetup luksFormat /dev/sdb3 |
|
|
% cryptsetup luksOpen /dev/sdb3 SECURE |
|
|
% mkfs.ext2 /dev/mapper/sdb3 |
|
|
% mkfs.vfat /dev/sdb4 |
|
|
|
|
|
I keep the gnupg home directory on the SECURE partition and use the `--homedir` switch to specify its location. |
andrewlkho revised this gist