Here is a way to create a Debian live USB drive with persistence. It will allow to install the missing packages which will from then on be available on every live boot using the persistence. Because we re-create the live ISO image filesystem contents on a read-write capable filesystem, we can change the bootloader configurations to enable persistence and set the keyboard layout on boot.
The steps described here were tested to work on Debian stretch and buster to create a Debian stretch live image.
There are a lot of steps involved, but it seems that this method is still quite efficient.
Disclaimer: You will lose the data on the target USB drive and if you mess up the commands below you might feel very sorry afterwards. I am not responsible for your actions.
Feeling lucky
If you feel particularly lucky today, you can try a bash script automating the process for you. Give it your ISO image path as first parameter and the USB drive block device name as the second. Note that this script is insanely dangerous and that you should not execute it without reading and understanding it first.
TL;DR
Get Debian live ISO image, then do the following:
umount /dev/sdX*
parted /dev/sdX --script mktable gpt
parted /dev/sdX --script mkpart EFI fat16 1MiB 10MiB
parted /dev/sdX --script mkpart live fat16 10MiB 3GiB
parted /dev/sdX --script mkpart persistence ext4 3GiB 100%
parted /dev/sdX --script set 1 msftdata on
parted /dev/sdX --script set 2 legacy_boot on
parted /dev/sdX --script set 2 msftdata on
mkfs.vfat -n EFI /dev/sdX1
mkfs.vfat -n LIVE /dev/sdX2
mkfs.ext4 -F -L persistence /dev/sdX3
mkdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
mount /dev/sdX1 /tmp/usb-efi
mount /dev/sdX2 /tmp/usb-live
mount /dev/sdX3 /tmp/usb-persistence
mount -oro live.iso /tmp/live-iso
cp -ar /tmp/live-iso/* /tmp/usb-live
echo "/ union" > /tmp/usb-persistence/persistence.conf
grub-install --no-uefi-secure-boot --removable --target=x86_64-efi --boot-directory=/tmp/usb-live/boot/ --efi-directory=/tmp/usb-efi /dev/sdX
dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr/gptmbr.bin of=/dev/sdX
syslinux --install /dev/sdX2
mv /tmp/usb-live/isolinux /tmp/usb-live/syslinux
mv /tmp/usb-live/syslinux/isolinux.bin /tmp/usb-live/syslinux/syslinux.bin
mv /tmp/usb-live/syslinux/isolinux.cfg /tmp/usb-live/syslinux/syslinux.cfg
sed --in-place 's#isolinux/splash#syslinux/splash#' /tmp/usb-live/boot/grub/grub.cfg
sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 persistence/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg
sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 keyboard-layouts=de locales=en_US.UTF-8,de_DE.UTF-8/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg
umount /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
rmdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
In Detail and with some explanation
You will need to execute most of the following commands with elevated privileges, i.e., using sudo
on most GNU/Linux systems.
Download
Download a Debian live ISO image with the window manager of your choice:
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
We'll refer to the downloaded ISO image simply as "live.iso".
Determine target drive
Find the device that is your USB drive using lsblk
. We'll call that /dev/sdX
.
Unmount
Unmount existing partitions on your drive using umount /dev/sdX*
Create partitions
We need an EFI boot partition for UEFI PCs to boot from the USB drive. Then we need a sufficiently large partition to hold the original live ISO filesystem image contents. That partition must have the legacy_boot
flag set. Then we add the persistence partition, using up all the remaining space of the USB drive. You can do that with any GPT capable partitioning tool (mind the legacy_boot
flag). Here is an example using parted
:
parted /dev/sdX --script mktable gpt
parted /dev/sdX --script mkpart EFI fat16 1MiB 10MiB
parted /dev/sdX --script mkpart live fat16 10MiB 3GiB
parted /dev/sdX --script mkpart persistence ext4 3GiB 100%
parted /dev/sdX --script set 1 msftdata on
parted /dev/sdX --script set 2 legacy_boot on
parted /dev/sdX --script set 2 msftdata on
This creates a GPT partition table and a protective MBR partition table.
Create Filesystems
We want FAT on the EFI and live partition and we want ext4
on the persistence parition and we require the label persistence
for the persistence feature to work.
mkfs.vfat -n EFI /dev/sdX1
mkfs.vfat -n LIVE /dev/sdX2
mkfs.ext4 -F -L persistence /dev/sdX3
Mounting the resources
We'll need to mount the source ISO and target partitions at temporary mount points.
mkdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
mount /dev/sdX1 /tmp/usb-efi
mount /dev/sdX2 /tmp/usb-live
mount /dev/sdX3 /tmp/usb-persistence
mount -oro live.iso /tmp/live-iso
Install live system
Copy the live ISO filesystem content to the LIVE partition.
cp -ar /tmp/live-iso/* /tmp/usb-live
persistence.conf
Prepare the persistence filesystem with the required configuration file. The persistence feature will not work without this file.
echo "/ union" > /tmp/usb-persistence/persistence.conf
Grub for UEFI support
Install grub2 for UEFI booting support (this requires the grub-efi-amd64-bin
package on Debian). We force grub-install
to not use UEFI secure boot, which apparently does not work with the --removable
option.
grub-install --no-uefi-secure-boot --removable --target=x86_64-efi --boot-directory=/tmp/usb-live/boot/ --efi-directory=/tmp/usb-efi /dev/sdX
Syslinux for legacy BIOS support
Install syslinux gptmbr.bin
bootloader to the drive (download syslinux or install package syslinux-common
). Then install syslinux to the live partition.
dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr/gptmbr.bin of=/dev/sdX
syslinux --install /dev/sdX2
Isolinux fixup
Reuse the isolinux config of the original live ISO to work with syslinux.
mv /tmp/usb-live/isolinux /tmp/usb-live/syslinux
mv /tmp/usb-live/syslinux/isolinux.bin /tmp/usb-live/syslinux/syslinux.bin
mv /tmp/usb-live/syslinux/isolinux.cfg /tmp/usb-live/syslinux/syslinux.cfg
Kernel parameters
Now that we copied the live system files to an actual read-write filesystem, we can manipulate the grub and syslinux config.
Add the persistence kernel parameter to menu.cfg
and grub.cfg
. In both files, add the keyword persistence
at the end of the respective first line with boot=live
in it.
sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 persistence/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg
Set the keyboard-layout kernel parameter. In both files, add the keywords at the end of the respective first line with boot=live
in it.
sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 keyboard-layouts=de locales=en_US.UTF-8,de_DE.UTF-8/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg
Grub splash
Fix the grub splash image (optional; we moved it into another directory).
sed --in-place 's#isolinux/splash#syslinux/splash#' /tmp/usb-live/boot/grub/grub.cfg
Unmounting and Cleanup
umount /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
rmdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
Why this should work for both UEFI and BIOS
When starting in UEFI mode, the PC will scan the FAT partitions we defined in the GPT partition table. The first FAT partition carries the UEFI grub bootloader, which is found because it is located in the path specified by UEFI for removable drives (the --removable
switch to grub-install
did this). No UEFI boot entry is necessary for that to work, we only need to make the PC try to boot from the USB drive. That grub is configured to take it from there (load the grub.cfg, show the menu, etc.).
When starting in BIOS mode and selecting to boot from the USB drive, the PC will execute the gptmbr.bin
bootloader code we have written to the protective MBR of the USB drive. That bootloader looks for the GPT partition marked with the legacy_boot
flag and chainload syslinux from that partition. Syslinux then takes over (load menu.cfg, show the menu, etc.).
Encrypted Persistence
Instead of using plain ext4 on the persistence partition, one could first encrypt the persistence partition with LUKS (using cryptsetup
), then format that with ext4 (using the proper label). However, as the documentation says, the live system must include the cryptsetup
package. Otherwise, the encrypted partition cannot be decrypted by the live system. This means one has to build a custom live ISO first. That is, however, out of the scope of this answer.
History
The --no-uefi-secure-boot
option was previously not part of the call to grub-install
. The stick worked fine for me, but that stopped with Debian buster, even though secure boot is still disabled on my machine.
Best Answer
Debian live with persistence.
First try with official image from
www.debian.org/CD/live/
From SE site (standard live):
From automatic mirror selection (mate live):
Then checksum you download file with https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA256SUMS...
Ok ISO filesystem is read-only, but there is a little workaround: we could replace non vital bootparam by
persistence
in this way.you could alter them by using
sed
for replacing strings in binary.This will create a modified copy of your live binary file, by strictly replacing
splash quiet
orquiet splash
bypersistence
, everywhere. Ok this will work only while grub boot command do contain this two words together.But care to not miss the space after persistence:
Or your binary will be broken.
Install on USB key
Then add your third partition for persistence:
This could be run without interaction:
Format and prepare persistence with
union
:Then eject and try!
If you use official, unmodified image, for using persistence, you have to interrupt boot selection:
Once menu screen is displayed, choose your boot option, then instead of Return, hit Tab.
The kernel commandline will be displayed, then add
persistence
with a space, after last word (quiet
), then hit Return.Unfortunately, as 1st partition is bundled with UEFI and is ISO, you can't modify the boot command.
Customized Debian live with persistence
You just have to add
persistence
to boot command line, but nothing else!? There is a way, using FAT andsyslinux
, but you have a lot of data manipulations. It's long and I find this not so well. I prefer:Build your own Debian live
More regular, but a little longer (at least for 1st image),
Note: All this stuff was done under root user (this must work by using
fakeroot
, but this is not tested there and today).... and all recommendations.
I wrote a little
XARGS
function for dropping commented lines:First setting
bootparams
, with localisation and arguments for persistence:Now your package list:
Very first step of
lb
: create initial tree:Now, you have a small tree, you could:
Ok, next command will take a loooong time! (Approx 1 hour on my host)
If everything's ok, you may find your own Debian live:
Install on USB key (same operation than for downloaded binaries)
The 'iso-hybrid' image contains two partitions for UEFI and live mixed in a way both EFI and bios could boot on.
You could simply put to your USB Key: (Note: ensure first your USB Key is not mounted!)
Then add your third partition for persistence:
Format and prepare persistence with
union
:Eject and try...
Debian live with encrypted persistence
Build your own Debian live, but with encrypted persistence.
In order to boot with rootfs
/
on encrypted persistence, you have to adddm-crypt
module and related binaries to initrd (initial ram disk) by adding settingCRYPTSETUP=y
into an/etc/initramfs-tools/hooks/
...I wrote a little
XARGS
function for dropping commented lines:First setting
bootparams
, with localisation and arguments for persistence and cryptsetup:Now your package list:
And your package selection:
Of course
cryptsetup
is required! ;-)Very first step of
lb
: create initial tree:Now, you have a small tree, you could:
Ok, next two command will take a loooong time! (Approx 40' on my host)
Now you could add your module and binaries:
Then run final stage (will take some more lot of time ~25'):
Note: If you read
cryptsetup: WARNING: Couldn't determine root device
, it's fine! This mean that cryptsetup is installed on yourinitrd
.If everything's ok, you may find your own Debian live:
Install on USB key
The 'iso-hybrid' umage do contain already two partitions for UEFI and live mixed in a way both EFI and BIOS could boot on.
You could simply put to your USB Key: (Note: ensure first your USB Key is not mounted!)
Add new Linux partion by using free space.
This will create partition 3 using free space on your USB Key.
Then prepare your crypted partition
Enter passphrase
Enter passphrase again
That's all.