This guide shows how to install debian so that it can be booted and run from a USB drive on a MacBook Air. I use this to store a copy of my PGP master keypair. Networking is deliberately not configured and all operations requiring the master keypair (such as signing other people's keys) are done only on this system. See the debian wiki for information on how to separate your key. Note that this is slightly different to using a live CD. It is not possible to tailor the base configuration of a live CD to one's own requirements, and they frequently automatically connect to the nearest local network. Nevertheless, if you wish to use a live CD instead, I recommend Tails. Arturo Filastò has written a similar guide for Tails.
The method I use requires VirtualBox, which should also contain a working debian installation itself. An alternative method would be to use debootstrap but I won't go into that here. Part of the difficulty that some people have with this setup is that modern Macs require UEFI-compatible USB drives to boot from.
The first step is to create a new VirtualBox machine. However, do not add a virtual hard drive to it. Instead, put the debian installation ISO into the "CD drive" of the VM. Put the USB drive into your Mac and enable it on the VM (Settings > Ports > USB > USB Device Filters). Start the VM, and install debian. A few notes:
When it comes to partitioning the drive, I use manual partitioning. I create four partitions:
- 100MB bootable FAT32 partition mounted at /boot/efi
- 10GB non-bootable ext2 partition mounted at /
- 2 x 1GB partitions which are non-bootable, not mounted, and not formatted until later
Also, don't install a bootloader (this is done later).
When the installation is done, boot up a VM containing a running debian installation and insert the USB drive making sure to pass it through to the VM. I'm going to assume that it is on sdb; if you are not sure then check the output of the kernel buffer at the point at which you insert it (dmesg | tail). Mount the new USB drive along with a few parts of the existing running VM and chroot into it:
% mkdir /mnt/sdb2 && mount /dev/sdb2 /mnt/sdb2
% mkdir /mnt/sdb2/boot/efi && mount /dev/sdb1 /mnt/sdb2/boot/efi
% for x in /dev /dev/pts /proc /sys; do
> mount -B $x /mnt/sdb2$x
> done
% chroot /mnt/sdb2
Install GRUB2 and copy the bootloader to where the MacBook expects to find it:
% apt-get update
% apt-get install grub-efi-amd64
% grub-install /dev/sdb
% mkdir /boot/efi/EFI/boot
% cp /boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/boot/bootx64.efi
% update-grub
Whilst you are in the chroot jail and connected to the internet, you can install any other software you think you might need before exiting and unmounting:
% apt-get install sudo vim cryptsetup
% exit
% for x in /dev/pts /dev /proc /sys /boot/efi / ; do
> umount /mnt/sdb2$x
> done
And that should be everything. When you reboot your Mac to test this, don't forget to hold down the Option key at startup to boot from USB.
Although I physically secure the USB drive and it is not connected to the internet, it's not quite secure enough. Whilst I would certainly revoke the key if it were stolen, I'd want the reassurance that the thief is nevertheless unlikely to get their hands on the master keypair without effort beyond that warranted for someone with nothing terribly exciting to hide. Also, this stops it from being "borrowed" without me noticing.
This is where those last two partitions come into play. I encrypt sdb3 using dm-crypt and format sdb4 as a FAT32 partition for ferrying data to and from the USB drive:
% cryptsetup luksFormat /dev/sdb3
% cryptsetup luksOpen /dev/sdb3 SECURE
% mkfs.ext2 /dev/mapper/sdb3
% mkfs.vfat /dev/sdb4
Whenever I want to work with the encrypted partition I mount it like this:
% cryptsetup luksOpen /dev/sdb3 SECURE
% mount /dev/mapper/SECURE /mnt/SECURE
...
% umount /mnt/SECURE
% cryptsetup luksClose SECURE
One could also configure /etc/fstab to automatically mount this at boot if desired.
I keep the gnupg home directory on the SECURE partition and use the --homedir switch to specify its location.