Ubuntu – Password in Persistent Live USB – is it possible

passwordpersistencerootusb

I've just created the persistent live usb (using mkusb – persistence works). The problem is that there is no password and any program can be installed from terminal with root.

Is it possible to create root password in persistent live usb?

Best Answer

New user with encrypted home in a persistent live drive

Yes it is possible to create a new user with encrypted home in a persistent live drive made with mkusb. I have done it so I know that it works. It is probably easiest if you install gnome-system-tools and use users-admin.

sudo apt install gnome-system-tools

users-admin

or start it via the graphical user interface.

Select Add to create a new user and select encrypt home folder. Otherwise the password is not really meaningful in this kind of system.

Warning: it is very important to backup the system regularly and to remember the password to the encrypted system. Otherwise you might lose your data. There is no back door.

If you keep the default user, the system will auto-login (unless you change that setting). Log out and select the new user ('tester' in the example below) and enter the password.

If you intend to remove the default user, you should make your new user an administrator, and be sure that you can run sudo. (You should not be able to remove the default user without sudo in standard Ubuntu, and if you manage to remove it anyway, your system would be crippled with no user to manage the system.)

sudo deluser ubuntu  # in standard Ubuntu (modify user name in the flavours)

Problems with Firefox and Thunderbird

It was more difficult to create a basic working Lubuntu system with a new user with encrypted home. And after further testing we found that neither Firefox nor Thunderbird works, not for the OP in Xubuntu and not for me in Lubuntu and standard Ubuntu. So I am affected too. I suspect that it is some security feature that stops the Mozilla software from working.

I installed Midori, a light-weight web browser, and it works without problems. It can be used for webmail (I tested with my gmail account). - But if it is necessary for you to use Firefox and Thunderbird, this kind of persistent live system is a dead end street.

Alternative: Installed system in a USB drive

An alternative is to make an installed system with or without encrypted disk or encrypted home if you wish - installed like into an internal drive, but into a USB drive. It is easiest to install it correctly, if you remove the internal drive from the computer, where you create it. There are some tips at the following links,

help.ubuntu.com/community/Installation/UEFI-and-BIOS

Ubuntu on a USB stick - mount options to reduce writes

Quick fix

This is a quick fix, that is not adding security against a qualified attack, but maybe it would be enough to prevent tampering by curious persons, to make your persistent live tweaks in Xubuntu 'noob-proof': move (rename) sudo and remove the gui tools to manage programs, gnome-software, update-manager and maybe software-properties-gtk.

sudo mv /usr/bin/sudo /usr/bin/opns
opns apt remove gnome-software
opns apt remove update-manager
opns apt remove software-properties-gtk

Or better, move sudo to some other name, that is more difficult to guess. The following screenshot illustrates that it works to use the 'moved sudo' command to install a program package,

opns apt install htop

Persistent live Ubuntu

I tested, and yes, you can remove the original ubuntu user after creating a custom user ID with a good password and admin (sudo) permissions.
```
sudo add-apt-repository universe
sudo apt update
sudo apt install gnome-system-tools
```
and you get a convenient tool to create a custom user,
```
users-admin
```
Remember the admin (sudo) permissions!

It is a good idea to set the permissions of your subdirectories (in your home directory) to only allow your own user to see them. And set the permissions for the files in a corresponding way.
```
cd
find * -type d -exec chmod 700 {} \;
find * -type f -exec chmod 600 {} \;
```
Using * instead of . excludes the hidden directories and files from these actions.

Test:

Logging in live-only, 'Try Ubuntu', does not give direct access to files saved in Documents. but the default ubuntu live has sudo permissions, and can access these files that way.

ubuntu@ubuntu:/media/ubuntu/casper-rw/upper/home/tester$ ls -l
total 44
drwx------ 2 1000 1000 4096 Jan 24 20:28 Desktop
drwx------ 2 1000 1000 4096 Jan 24 20:58 Documents
drwx------ 2 1000 1000 4096 Jan 24 20:28 Downloads
drwx------ 2 1000 1000 4096 Jan 24 20:28 Music
drwx------ 2 1000 1000 4096 Jan 24 20:28 Pictures
drwx------ 2 1000 1000 4096 Jan 24 20:28 Public
drwx------ 2 1000 1000 4096 Jan 24 20:28 Templates
drwx------ 2 1000 1000 4096 Jan 24 20:28 Videos
-rw------- 1 1000 1000 8980 Jan 24 20:27 examples.desktop
ubuntu@ubuntu:/media/ubuntu/casper-rw/upper/home/tester$ ls -l Documents/
ls: cannot open directory 'Documents/': Permission denied
ubuntu@ubuntu:/media/ubuntu/casper-rw/upper/home/tester$ sudo ls -l Documents/
total 8
-rw-r--r-- 1 1000 1000 7 Jan 24 20:54 hej
-rw-r--r-- 1 1000 1000 6 Jan 24 20:58 hi
ubuntu@ubuntu:/media/ubuntu/casper-rw/upper/home/tester$ cat Documents/hi
cat: Documents/hi: Permission denied
ubuntu@ubuntu:/media/ubuntu/casper-rw/upper/home/tester$ sudo cat Documents/hi
hello
ubuntu@ubuntu:/media/ubuntu/casper-rw/upper/home/tester$

Installed Ubuntu in a USB pendrive

If you want security it is much better to create an installed system in your USB pendrive, installed like into an internal drive (but into a pendrive). See the instructions at the following link:

How do I install Ubuntu to a USB key? (without using Startup Disk Creator).
If you wish, you can encrypt it (LVM with LUKS encryption). In that case, do it at the partitioning window during the installation.

Ubuntu – Can I convert a live Ubuntu USB to one with persistent memory

Changing Live Pendrive to Persistent Pendrive

This works both with BIOS and UEFI.

Many people prefer a Persistent Pendrive that will save changes;

Create a Live Pendrive using Rufus or similar;
Boot the pendrive toram to make the drive editable:

Press Shift when booting; press Esc from Language; press F6; press Esc;

Type a Space and toram after quiet splash ---, and press Enter.
Create a casper-rw file:

sudo dd if=/dev/zero of=casper-rw bs=1M count=512

sudo mkfs.ext3 -L casper-rw -F casper-rw

(where count=512 is the persistence size in megabytes, with a max of 4GB).

Move the new casper-rw file from home to the root of the Live Pendrive;
Add a Space and persistent after quiet splash --- in the following files:

/isolinux/txt.cfg, (for BIOS boot persistence Rufus);

/syslinux.cfg, (for BIOS boot persistence UNetbootin);

/boot/grub/grub.cfg, (for UEFI boot persistence).
Shut down and reboot the persistent drive.

It's also possible to turn a Live USB into a Full-Install USB which has some advantages, except it won't install Ubuntu: Can Ubuntu be installed to the pendrive it was booted from?