Debian – Separate /boot partition on USB

boot-loaderdebian

During standard Debian install i decided to go with implementing additional security factor which is /boot on separate USB key. In Debian guide I've found it is only put this way.

http://madduck.net/docs/cryptdisk/

if you don't like the unencrypted /boot partition, you could boot the system off a USB key, which you can keep separate from the system except for when booting and upgrading the kernel. All you need to do for that is install the bootloader and kernel onto the device and configure it to use the proper encryption volume on the harddisk as root filesystem.

I know how to install GRUB onto USB stick

grub-install --root-directory=/mnt /dev/sdb

but I don't know hot to copy kernel image from my current installation to USB stick. Everything is done here from live environment. On clean install, I setup partitions manually and then proceed with installation, after my /root and /home are ready to use and /boot is already specified on USB Key I choose to "Continue Testing" my live environment from which I install GRUB onto /boot partition but how do i put initial ramdisk there?

Because this is mandatory for system to boot. Also does this approach doesn't require my to edit my /etc/fstab or /etc/crypttab?

Best Answer

Here's a slightly different way hitting the same goal, /boot on an external usb flash:

(1) Prepare your usb flash boot-device under existing Debian installation using package gnome-disk-utility the following way (which is not necessarily the only way but tested and works for me).

(1.1) Format device with MBR scheme.

(1.2) Create single ext2 partition making it occupy all available space.

(1.3) After step 1.2 completes go to "Edit partition" and set the bootable flag.

(2) Install Debian using its standard installer.

(2.1) Boot your installation media, i.e. Debian installation cd/dvd or another usb stick with .iso image written on it.

(2.2) Choose country/language, setup users and passwords, answer all the routine questions (no interest here) till disk partition dialog.

(2.3) Select manual partitioning.

(2.4) Create your raid/lvm/encrypted volumes on your main disk drive. On top of it there will be a file system, probably ext4.

(2.5) Go to properties of this file system and select mount as / and "done with this partition".

(2.7) Find the usb stick in the list, it should have ext2 on it.

(2.8) Go to its properties and select mount as /boot and optionally noatime in additional flags. There is an option of formatting the partiton, DO NOT do it! "Keep the files".

(2.9) Select "Done with this partition".

(2.10) Select "Finish partitioning" or similar, installation process should continue with some dialogs that are straightforward.

(2.11) After a few other dialog that are straightforward and not of our interest here, there will be a dialog with a question where to install GRUB, which you should agree to install in your /dev/sdX, where X is your usb boot flash.

After installation finishes, you should be able to boot from your flash selecting appropriate option in the BIOS.

Regarding your question of issuing a grub-install --root-directory=/mnt /dev/sdb command, prefer chroot /mnt grub-install /dev/sdb as --root-directory option is deprecated. Other than that, it would work provided:

(1) main file system (your encrypted HDD/SSD/etc) hierarchy is unencrypted and mounted under /mnt of a host OS (i.e. Debian livecd), boot partition is mounted under /mnt/boot;

(2) the new system was previously installed to that partition. That is, /mnt has something in it (/usr/bin, /usr/sbin etc);

(3) after grub-install you issue chroot /mnt update-grub;

(4) you edit /etc/fstab and /etc/crypttab.

Which is much more hassle than installing everything via Debian installer.

Now, I'd like to comment on steps 1, 1.1, 1.2 and 1.3. I'm using Debian 7.5 installer, which fails on grub-install step if the partition is created via its own installer. It doesn't mean that there is a bug in the installer, could be me doing it wrong way. Partition created via gnome-disk-utility works well. Right now I have a dm-crypt/luks volume on top of LVM which is on top of software RAID (an md device), which in turn is on physical drives.

Related Solutions

Linux on Hard Drive Partition, Bootloader on USB Flash Drive

Have you tried

grub-install --target=i386-pc --recheck /dev/sdb1

Note the /dev/sdb1 which appears to be your USB device.

MBR: GRUB
/dev/sdb1 - Linux /boot Partition

Maybe try this :

title Start Ubuntu from USB DISK (PC)
root (cd)
kernel /boot/vmlinuz file=/cdrom/preseed/ubuntu.seed boot=casper noprompt cdrom-detect/try-usb=true persistent
initrd /boot/initrd.lz
boot

debian – How to Move the Bootloader from a Hard Drive to a USB Stick

Screw grub. It's probably some complexity it introduces that leads you to believe this is a difficult problem to solve. If your computer is less than 5 years old or so, then you're probably booting from a UEFI firmware, in which case your Debian-built linux kernel is already a bootloader.

Partition the disk:
```
printf %c\\n o y n 1 '' '' ef00 w y |
gdisk /dev/usb-stick/or-whatever-path    
```
- That's a scripted shortcut for the options you'd want to feed the program interactively. It will create a GUID partition table and a partition of type EFI-system that spans the whole disk.
- The gdisk program is easy to use though - and so you might do better to go at it interactively instead. The target disk should not be mounted when it is run, and you'll probably need root rights to write the changes. As a general rule you can do pretty much whatever you want in that program without any effect until you write - so be sure when you do.
Format the stick fat32:
```
mkfs.vfat -nLABEL /dev/usb-stick/or-whatever-path
```
- LABEL is whatever you want it to be. You should LABEL all disks, in my opinion.

Install a boot-menu-manager if wanted. I like rEFInd:

dpkg -i refind_0.8.7-1_amd64.deb

That probably won't install to the USB automatically, so afterward you may want to do...
```
/path/to/refinds/install/dir/install.sh  --usedefault /dev/usbstick
```

If you use rEFInd, you'll want to do something like this after:

mount /dev/usbstick /mnt
mkdir -p /mnt/EFI/debian /esp
cp -ar /boot/* /mnt/EFI/debian
cat <<\TWONEWLINES >>/etc/fstab
    LABEL=LABEL      /esp  vfat  defaults      0 2
    /esp/EFI/debian  /boot none  bind,defaults 0 0
TWONEWLINES
cat <<\ONESIMPLECONFIG >/mnt/EFI/debian/refind_linux.conf
    "Debian Menu Entry" root=LABEL=rootlabel other_kernel_params
ONESIMPLECONFIG

But you might skip rEFInd and just use the firmware's boot menu:

 efibootmgr -c -d /dev/rootdevice       \
            -p 1 -L "Debian"            \
            -l '\EFI\debian\kernelfile' \
            -u root=/dev/sda3 kparams   \
            initrd=EFI/debian/initramfs_image_file

And that's pretty much it. Pretty much forever - no more fuss. The firmware loads the kernel from the EFI-system partition you format on your USB stick. The kernel loads its initial root in the initramfs file. If you're already successfully booting LUKS then you must have already arranged for it to access its key somehow - your key is probably already in the initramfs image. If not, well, you'll want to put it in there - or on the USB.

The boot partition is a mount on a UEFI-system - there is absolutely no need for all of the old-timey nastiness surrounding embedding boot-loaders and MBRs and the rest. You just mount the boot from firmware, load a kernel executable, and go on your merry way.

The fstab stuff just --bind mounts a directory on your USB-stick over /boot - so all kernel updates will happen just as always. If you like yourself, you'll uninstall grub entirely, though. Its arcane update process - a bunch of scripts that read and/or generate other scripts in a wicked chain - is more than a little ridiculous and the kind of nightmare you can easily do without.

If you'll take my advice you'll use rEFInd, though. It has pretty menus, and you never have to worry about it - the effects of the install.sh script above can easily be reproduced (and is above, in large part) with a single cp command. It's just a static directory called /EFI/BOOT on the EFI-system partition containing a little EFI-executable file that tells the firmware where to find the kernel. The kernel is the actual bootloader - as it should be.

With the setup above you can boot as many EFI-executables as you'd like - just put their /boot (or whatever their boot partition is) contents on the USB-stick in /EFI somewhere and rEFInd will probably find them automatically and present them as an option to you from the firmware menu - to include Microsoft systems. Forevermore.

Best Answer

Related Solutions

Linux on Hard Drive Partition, Bootloader on USB Flash Drive

debian – How to Move the Bootloader from a Hard Drive to a USB Stick

Related Question