Encrypted portable Linux instalation on a flashdrive

Hello!
I would like to create an encrypted Linux installation on an USB stick that i can boot into on multiple computers. Could you please give me a hand? I’m not quite sure how to go about it.

It’s not the first time i installed Linux, i used Debian previously for quite some time and installing linux encrypted is not the problem, it’s the bootable on multiple PCs part I’m having trouble figuring out, though i imagine the encryption might require some tweaking too if I want the stick to work on multiple computers, i really have no idea. I thought of using Devuan instead of Debian since AFAIK systemd which Debian uses is hard to make portable. Honestly I’m not very set on the distro, i would prefer a fully FOSS distribution but if having some proprietary software installed will be required/much easier I’m just gonna deal with it, I’ll probably need to install graphics drivers for at least two PCs I’m gonna be booting the stick on.

I know I’m probably not going to have full disc encryption but i would like to encrypt more than just /home, encrypting the entire / partition with only /boot left readable would be ideal.

Could you please give me some instructions on how to go about making such installation?

It should be fine.

If the encryption is just passphrase based, it’ll work regardless of the system it’s booted on.

It’d be the bootloader that could potentially be an issue.

Does the system have to work on bare metal or can it be VM? Maybe prepare a distro in a similar way as Privatix used to be.

https://www.itninja.com/blog/view/create-a-bootable-encrypted-usb-running-linux-mint-16
https://www.itninja.com/blog/view/more-bootable-encrypted-usb-or-microsd-linux-distro-s-now-with-a-nuke-option

So long as you’re not booting from the same USB device you’re installing to, you don’t have to do anything special.

Just install with the USB drive as the target. Linux doesn’t care, block devices are block devices.

I thought of using Devuan instead of Debian since AFAIK systemd which Debian uses is hard to make portable.

I’d recommend against Devuan without a strong reason unless you’re a master of dpkg-fu, at least for now. When Beowulf is offiicially released, it’ll be nice, but there are still a ton of rough edges that are frustrating.

Debian Buster is probably your best bet, and has a potential Beowulf upgrade path going foward should you want to switch later.

i would prefer a fully FOSS distribution but if having some proprietary software installed will be required/much easier I’m just gonna deal with it, I’ll probably need to install graphics drivers for at least two PCs I’m gonna be booting the stick on.

Debian seperates software out at the repository level, and they have some strict standards on what is considered “Free Software”. They classify certain firmware as non-free that other distros (like Fedora) ship.

Should you need them, they’re available. Should you want to remove them, it’s easy to remove.

encrypting the entire / partition with only /boot left readable would be ideal.

I generally make a small ESP partition for UEFI, a small /boot partition for BIOS, and then one encrypted partition. Inside the encrypted partition, LVM.

I can’t think of an installer that doesn’t handle that setup.

I got my start in Linux messing with flash drives like that. Most mainstream distros (Mint, *buntu, Suse, etc) will set up full-disk encryption for you in the installer if you ask.

I tried a similar thing without the encryption once. I’m not sure if the installation worked or not because it put GRUB on my laptop’s internal drive, not the target media. That was fun to fix. So I’d recommend doing a manual install and even removing your internal drives if possible (ie if you feel like it).

There are a few distros designed to run off a flash drive, essentially the Puppy Linux family. When I tried it out years ago, it was…pretty rough going. You have to manually save individual files by moving them to a preserved partition, or something (system file changes were lost), and it’s a pretty spartan install. I’m not sure if it even supports encryption officially. But the advantage of Puppy is that it runs off a ramdisk iirc, since USB is slow.

If you install a normal distro onto a flash drive, I wouldn’t expect it to be super responsive or load stuff quickly, at least over USB 2.0. Experiment, of course, but you might need to invest in a drive with really fast random reads.

Thanks for all of the responses guys!
I’m going to be using a USB 3.0 key for that reason, i know the system would be very sluggish over 2.0 and i hope 3.0 will help at least a little.
I know the installation itself won’t be too difficult, as mentioned above most installers let you just install to a flashdrive and set up encryption pretty painlessly. I was wondering what i would have to do once booted on the install PC to make the system bootable on other machines, how to prepare it to run on a variety of different hardware configurations.
Are there any packages i should install? Maybe there is a kernel compilation baked with many many drivers that is handy for that purpose i should switch to? How do i set up the init to handle specs changing from one boot to another? Have different nvidia/amd drivers installed ?
I know it’s a lot of stuff but i want to be prepared and know what i’m doing.

I was wondering what i would have to do once booted on the install PC to make the system bootable on other machines

Using Debian/Devuan, install the firmware-linux-nonfree package. On Ubuntu, the linux-firmware package. The same or similar package exists on other distros.

That’s really all you need to boot a modern amd64 system (Core 2 Duo and later). Hardware support is handled by the combination of the Linux kernel and device firmware.

Linux isn’t Windows. It doesn’t care if it boots on a different motherboard each time. Hardware is probed at boot and the kernel modules for the hardware it detects are loaded. So long as Linux itself supports the device, having a kernel is all you need.

Maybe there is a kernel compilation baked with many many drivers that is handy for that purpose i should switch to?

No, use your distro’s kernel. If your favorite distro does something really bad to their kernels, that’s a reason to consider changing distro, not building your own kernel.

Unless you have a definitive, concrete reason for building your own, “build your own kernel” is almost always the wrong answer. Learning, curiosity, and development are valid reasons. “Better hardware support” and “performance” are not.

Most performance related parameters can be adjusted on any kernel with boot paramaters or sysctl tuning. Devices that are supported by Linux but not in the mainline kernel are going to be a nightmare no matter what, and building a custom kernel isn’t the solution there, either.

How do i set up the init to handle specs changing from one boot to another?

Turn your computer on.

Have different nvidia/amd drivers installed ?

You’ll likely have to switch between them when hopping back and forth. For various reason (nvidia), they do not play nice with each other.

When you boot, you’ll get the nouveau driver by default on an Nvidia system. You’ll get the radeon or amdgpu driver on an AMD system.

AMD’s GPU drivers are open source and included in Linux. There’s nothing more to do if you’ve installed the firmware packages mentioned at the beginning of the post. Those include amdgpu firmware, and you should be able to launch games with reasonable performance doing nothing else.

As for Nvidia and older non-amdgpu Radeon cards, just do whatever your distro of choice suggests. Many distros have a driver utility, or will recommend installing a specific package.