All of the information I currently find on this matter is insufficient for my taste. It is either outdated, misleading or even wrong, seems overly complicated or not covering this specific question.
Goals:
- bootable USB drive (both UEFI and legacy BIOS supported)
- (based on) live Debian 9 (stretch)
- persistence (by default and for both UEFI and legacy BIOS)
- German keyboard layout per default
- fit for troubleshooting other GNU/Linux systems
Reasons:
- having to setup the keyboard layout on every use is a real headache
- cryptsetup and efibootmgr are missing in the default Debian live images
- gnome-terminal has this annoying white background per default
No solutions:
- (re)building custom debian live image (it seems tedious, although I did not try it yet)
- unetbootin (asks for an unknown password when starting up on debian stretch and I think it does not support UEFI anyways)
- some foreign automated process where I don't see what is happening
Debian live and install images are isohybrid and can be conveniently written to block devices using dd
. And they do work from USB drives like that, which is very nice! However, there will be no persistence and no way to start with a non-english keyboard layout per default without editing the grub and isolinux config, which is included in the very read-only ISO9660 filesystem of the live ISO image. So even after writing the live ISO to a USB drive, these parameters still cannot be changed.
Best Answer
Here is a way to create a Debian live USB drive with persistence. It will allow to install the missing packages which will from then on be available on every live boot using the persistence. Because we re-create the live ISO image filesystem contents on a read-write capable filesystem, we can change the bootloader configurations to enable persistence and set the keyboard layout on boot.
The steps described here were tested to work on Debian stretch and buster to create a Debian stretch live image.
There are a lot of steps involved, but it seems that this method is still quite efficient.
Disclaimer: You will lose the data on the target USB drive and if you mess up the commands below you might feel very sorry afterwards. I am not responsible for your actions.
Feeling lucky
If you feel particularly lucky today, you can try a bash script automating the process for you. Give it your ISO image path as first parameter and the USB drive block device name as the second. Note that this script is insanely dangerous and that you should not execute it without reading and understanding it first.
TL;DR
Get Debian live ISO image, then do the following:
In Detail and with some explanation
You will need to execute most of the following commands with elevated privileges, i.e., using
sudo
on most GNU/Linux systems.Download
Download a Debian live ISO image with the window manager of your choice:
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
We'll refer to the downloaded ISO image simply as "live.iso".
Determine target drive
Find the device that is your USB drive using
lsblk
. We'll call that/dev/sdX
.Unmount
Unmount existing partitions on your drive using
umount /dev/sdX*
Create partitions
We need an EFI boot partition for UEFI PCs to boot from the USB drive. Then we need a sufficiently large partition to hold the original live ISO filesystem image contents. That partition must have the
legacy_boot
flag set. Then we add the persistence partition, using up all the remaining space of the USB drive. You can do that with any GPT capable partitioning tool (mind thelegacy_boot
flag). Here is an example usingparted
:This creates a GPT partition table and a protective MBR partition table.
Create Filesystems
We want FAT on the EFI and live partition and we want
ext4
on the persistence parition and we require the labelpersistence
for the persistence feature to work.Mounting the resources
We'll need to mount the source ISO and target partitions at temporary mount points.
Install live system
Copy the live ISO filesystem content to the LIVE partition.
persistence.conf
Prepare the persistence filesystem with the required configuration file. The persistence feature will not work without this file.
Grub for UEFI support
Install grub2 for UEFI booting support (this requires the
grub-efi-amd64-bin
package on Debian). We forcegrub-install
to not use UEFI secure boot, which apparently does not work with the--removable
option.Syslinux for legacy BIOS support
Install syslinux
gptmbr.bin
bootloader to the drive (download syslinux or install packagesyslinux-common
). Then install syslinux to the live partition.Isolinux fixup
Reuse the isolinux config of the original live ISO to work with syslinux.
Kernel parameters
Now that we copied the live system files to an actual read-write filesystem, we can manipulate the grub and syslinux config.
Add the persistence kernel parameter to
menu.cfg
andgrub.cfg
. In both files, add the keywordpersistence
at the end of the respective first line withboot=live
in it.Set the keyboard-layout kernel parameter. In both files, add the keywords at the end of the respective first line with
boot=live
in it.Grub splash
Fix the grub splash image (optional; we moved it into another directory).
Unmounting and Cleanup
Why this should work for both UEFI and BIOS
When starting in UEFI mode, the PC will scan the FAT partitions we defined in the GPT partition table. The first FAT partition carries the UEFI grub bootloader, which is found because it is located in the path specified by UEFI for removable drives (the
--removable
switch togrub-install
did this). No UEFI boot entry is necessary for that to work, we only need to make the PC try to boot from the USB drive. That grub is configured to take it from there (load the grub.cfg, show the menu, etc.).When starting in BIOS mode and selecting to boot from the USB drive, the PC will execute the
gptmbr.bin
bootloader code we have written to the protective MBR of the USB drive. That bootloader looks for the GPT partition marked with thelegacy_boot
flag and chainload syslinux from that partition. Syslinux then takes over (load menu.cfg, show the menu, etc.).Encrypted Persistence
Instead of using plain ext4 on the persistence partition, one could first encrypt the persistence partition with LUKS (using
cryptsetup
), then format that with ext4 (using the proper label). However, as the documentation says, the live system must include thecryptsetup
package. Otherwise, the encrypted partition cannot be decrypted by the live system. This means one has to build a custom live ISO first. That is, however, out of the scope of this answer.History
The
--no-uefi-secure-boot
option was previously not part of the call togrub-install
. The stick worked fine for me, but that stopped with Debian buster, even though secure boot is still disabled on my machine.