Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Install MBR on removable USB

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
User avatar
majpooper
Posts: 31
Joined: 2019-03-19 13:00

Install MBR on removable USB

#1 Post by majpooper »

I am experimenting with a security technique I heard about which is to put the MBR on a removable USB drive. The OS itself will be encrypted on the internal drive but to boot the OS one would need to physically insert the USB drive. I installed GRUB on a separate USB but cannot boot the OS from it or from the internal drive. So how do you install GRUB on a different drive from the OS and still be able to boot ?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Install MBR on removable USB

#2 Post by Head_on_a_Stick »

majpooper wrote: 2022-07-03 16:09I installed GRUB on a separate USB but cannot boot the OS from it or from the internal drive
How exactly did you attempt that? Please post the exact command(s) used along with any configuration files.

EDIT: instructions removed.
Last edited by Head_on_a_Stick on 2022-07-04 04:43, edited 1 time in total.
deadbang

User avatar
majpooper
Posts: 31
Joined: 2019-03-19 13:00

Re: Install MBR on removable USB

#3 Post by majpooper »

Head_on_a_Stick wrote: 2022-07-03 17:46 How exactly did you attempt that? Please post the exact command(s) used along with any configuration files.
During the install the installer asked where I wanted to install GRUB - I chose a USB drive rather than the internal drive where the I installed Debian.
EDIT:
I will try again with the way you suggest.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Install MBR on removable USB

#4 Post by Head_on_a_Stick »

majpooper wrote: 2022-07-03 19:37I will try again with the way you suggest.
Don't bother, it won't work. Sorry for the trouble but I've never used encryption so I'll have to leave this thread to people who have.
deadbang

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: Install MBR on removable USB

#5 Post by steve_v »

majpooper wrote: 2022-07-03 16:09I am experimenting with a security technique I heard about which is to put the MBR on a removable USB drive. The OS itself will be encrypted on the internal drive but to boot the OS one would need to physically insert the USB drive.
I'm not seeing the advantage of putting the MBR on a USB drive over just putting the LUKS (Presumably, you mention encryption) keys there. Either way you'll need the USB device to boot, and while I haven't tried it myself, from a cursory internet search the latter method appears well documented.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Install MBR on removable USB

#6 Post by p.H »

majpooper wrote: 2022-07-03 19:37 During the install the installer asked where I wanted to install GRUB - I chose a USB drive rather than the internal drive where the I installed Debian.
GRUB for BIOS boot is divided in 3 parts :
- boot image in the MBR
- core image in reserved sectors on the same drive
- files in /boot/grub/ (config files, font, modules) which may be on a different drive

/boot may be encrypted with restrictions but it is not supported by the Debian installer.
GRUB < 2.06 (up to bullseye) supports only LUKS1 format but the installer uses LUKS2.
GRUB 2.06 (testing) supports LUKS2 only with PBKDF2 but the installer uses Argon2.
steve_v wrote: 2022-07-05 05:11 I'm not seeing the advantage of putting the MBR on a USB drive over just putting the LUKS (Presumably, you mention encryption) keys there
An attacker with physical access may tamper with the unencrypted boot files when they are on the main drive.

Post Reply