Monday, May 14, 2012

USB rescue and secure boot disk

I think it's always good to carry a rescue operating system, like Ultimate Boot CD for Linux or UBCD for Windows. Personally I like Grml, debian-based, 32/64 bits and it can be installed on USB.

Booting from CD/USB is as simple as embedding syslinux, a kernel, an initrd and give it a filesystem. The filesystem can be stored on the CD/USB (usually as a squashfs file), but you can also point to a local filesystem. This way, you can have a fully encrypted local disk and boot (kernel+initrd) from CD/USB. And good news, this is not specific to Linux! If you use TrueCrypt on Windows, you can chain syslinux to grub4dos and boot from your TrueCrypt Rescue Disk ISO file.

Since TrueCrypt does not use the TPM (unlike BitLocker) and Linux solutions (e.g. TrustedGrub) are not yet ready, this simple workaround allows you to protect against tampering of the non-encrypted disk portions (mbr, /boot), because this part of the boot chain is on the USB key.

This post will describe how to set up a USB disk with grml32/64, grub4dos for TrueCrypt Rescue Disks, a Linux /boot and how to add other live CDs.

Set up the USB key

Erase the existing table of partitions:
# dd if=/dev/zero of=/dev/sdb bs=512 count=1
Create a new one:
# cfdisk /dev/sdb
Choose primary, take all available size, make it bootable, change type to 0b (WIN95 FAT32), write changes, confirm with yes and exit with q.

Format the partition to FAT32 and optionally label (-n) the device:
# mkfs.vfat -n usb /dev/sdb1
Tip: if you don't have it, apt-get install dosfstools

Install grml

Download the latest grml ISO you're interested in, check integrity and authenticity:
# wget ''
# wget ''
# gpg --verify grml64-full_2014.11.iso.sha1.asc
# cat grml64-full_2014.11.iso.sha1.asc
# sha1sum grml64-full_2014.11.iso

Make sure you have syslinux installed (usually available as a package), and a version >= 4:
# syslinux -v 
syslinux 4.05 Copyright 1994-2010 H. Peter Anvin et al
Tip: if you don't have it, apt-get install syslinux

Get the latest version of grml2usb:
# git clone git://
# cd grml2usb
# make -C mbr

Install grml32/64 with syslinux bootloader (the default) on the USb key:
# ./grml2usb ~/grml64-full_2014.11.iso /dev/sdb1

Test the USB boot key

You can reboot or try it on another computer, or simply set up a virtual machine and boot it from USB. But... most virtualization softwares do not support boot from USB, so how? Since boot from ISO is pretty standard, you can boot on plop boot manager, a tiny ISO (544KB as of version 5.0.14) which will set up USB to allow booting from a USB key. It is also very useful on old machines that don't support boot from USB.

If it works, you should see a grml menu similar to this:

Configure boot options

Grml has a large number of useful boot options, check them on

I like to configure the default to run from RAM, have network and ssh. To do this edit boot/syslinux/grml64_full_default.cfg then append ssh=PASSWORD toram=grml64-full.squashfs to the append line.

Boot your encrypted Linux from USB

If you use a fully encrypted Linux setup, with a plain /boot (with grub, kernel and initrd) and an encrypted LVM (with the system), you can move the /boot on this USB key to prevent tampering of the hard disk /boot. I agree you just move the problem to the security of the USB key, which can be increased with a hardware encrypted USB key.

Assuming the machine is named linux and using a 3.3.6 Linux kernel:
# mkdir /mnt/usb/linux
# cp /boot/{vmlinuz,initrd.img}-3.3.6 /mnt/usb/linux/
# cat << EOF >> /mnt/usb/boot/syslinux/additional.cfg
menu begin linux
    menu title Encrypted Linux
    label mainmenu
    menu label ^Back to main menu...
    menu exit
    menu separator

    label linux
        menu label ^Linux
        kernel /linux/vmlinuz-3.3.6
        append initrd=/linux/initrd.img-3.3.6 root=/dev/mapper/vg-root ro quiet splash

menu end

You can add as many machines /boot as you want: just copy the kernel/initrd and edit syslinux configuration.

Now keeping this up to date after kernel upgrades is a bit annoying, so I made a little script script to automate synchronization of /boot.

Add grub4dos to boot TrueCrypt rescue disks

Booting a TrueCrypt rescue disk ISO requires a bootloader able to boot ISO files, such as grub4dos.
Get grub4dos:
# wget ''
# unzip
# cd grub4dos-0.4.4

Install it on the USB key:
# cp grub.exe /mnt/usb/boot/addons/
# cat << EOF >> /mnt/usb/boot/syslinux/additional.cfg
label grub4dos
  menu label Run Grub^4dos (TrueCrypt Rescue Disks)
  kernel /boot/addons/grub.exe
# cp grldr menu.lst /mnt/usb/

Grub4dos configuration file is menu.lst. Based on this blog post, you can add something like:
title TrueCrypt Rescue Disk
find --set-root /truecrypt/rescue.iso
map --mem /truecrypt/rescue.iso (hd32)
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
root (hd32)
chainloader (hd32)

Finally, copy your TrueCrypt rescue disk:
# mkdir /mnt/usb/truecrypt
# cp rescue.iso /mnt/usb/truecrypt/

Of course, you can add as many TrueCrypt rescue disks as you want: copy the ISO files and update menu.lst.

Booting on TrueCrypt rescue disk

Power off your Windows with TrueCrypt system encryption, boot on USB. From the Grml menu, choose grub4dos. From the grub4dos menu, choose TrueCrypt and you should be presented with the usual TrueCrypt boot menu asking for the password.

You can go further and remove the TrueCrypt bootloader from your hard disk. Based on this post: boot on the rescue disk, choose repair, choose restore original system loader, say yes when it asks if the partition is decrypted (which is not true), choose restore key data and done. The disk now has the original Windows loader (not suspicious), then some garbage (the encrypted data) which makes it unbootable without the rescue disk.

Adding other live CDs

What if you want to add your favourite live CD? Just extract its content, add them to the USB key and create a syslinux menu for it. Example with Backtrack 5 R2 Gnome 64 edition.

Download the ISO, mount them and copy the contents on the USB key:
# wget '' \
  -O BT5R2-GNOME-64.iso
# mkdir /mnt/bt5-64
# mount BT5R2-GNOME-64.iso /mnt/bt5-64
# cp -a /mnt/bt5-64 /mnt/usb/

Include a dedicated config file for bt5-64:
# echo 'include bt5-64.cfg' >> /mnt/usb/boot/syslinux/additional.cfg
Create bt5-64.cfg based on Backtrack's bt5-64/isolinux/isolinux.cfg. Example:
menu begin bt5-64
menu title BackTrack 5 (64 bits)

label mainmenu
menu label ^Back to main menu...
menu exit
menu separator

menu title BackTrack 5 (64 bits) Live CD
menu background /bt5-64/isolinux/splash.png
menu color title 1;37;44 #c0ffffff #00000000 std

label BT5-64-DEFAULT
  menu label BackTrack Text - Default Boot Text Mode
  kernel /bt5-64/casper/vmlinuz
  append file=/cdrom/bt5-64/preseed/custom.seed boot=casper initrd=/bt5-64/casper/initrd.gz text cdrom-detect/try-usb=true live-media-path=bt5-64/casper splash vga=791--

label BT5-64-STEALTH
  menu label BackTrack Stealth - No Networking enabled
  kernel /bt5-64/casper/vmlinuz
  append file=/cdrom/bt5-64/preseed/custom.seed boot=casper initrd=/bt5-64/casper/initrds.gz text cdrom-detect/try-usb=true live-media-path=bt5-64/casper splash staticip vga=791--

label BT5-64-FORENSICS
  menu label BackTrack Forensics - No Drive or Swap Mount
  kernel /bt5-64/casper/vmlinuz
  append file=/cdrom/bt5-64/preseed/custom.seed boot=casper initrd=/bt5-64/casper/initrdf.gz text cdrom-detect/try-usb=true live-media-path=bt5-64/casper splash vga=791--

label BT5-64-NODRM
  menu label BackTrack noDRM - No DRM Drivers
  kernel /bt5-64/casper/vmlinuz
  append file=/cdrom/bt5-64/preseed/custom.seed boot=casper initrd=/bt5-64/casper/initrd.gz text cdrom-detect/try-usb=true live-media-path=bt5-64/casper splash nomodeset vga=791--

label BT5-64-debug
  menu label BackTrack Debug - Safe Mode
  kernel /bt5-64/casper/vmlinuz
  append file=/cdrom/bt5-64/preseed/custom.seed boot=casper initrd=/bt5-64/casper/initrd.gz text cdrom-detect/try-usb=true live-media-path=bt5-64/casper--

label exit
menu hide
kernel isolinux.bin

label back
menu hide
kernel isolinux.bin

label quit
menu hide
kernel isolinux.bin

menu end
With this, you have a new menu BackTrack 5 (64 bits), which when entered has the background (splash) and options exactly as if you booted the BackTrack ISO.


You have now a USB key with:
  • a powerful bootable rescue system: grml, 32/64 bits
  • the /boot of your Linux encrypted machines (to prevent from tampering)
  • the TrueCrypt Rescue disks of your Windows machines with system encryption (idem)
  • your favorite live CDs
  • free space to store files, after all it's just a FAT32 partition

Last, some nice live bootable systems if you don't know them already:

1 comment: