Password in Persistent Live USB - is it possible?

usb password root persistence

10,017

Solution 1

Another alternative is to do a Full install to USB.

This is done the same as an install to internal drive except with the internal drive disabled and the USB plugged in, in it's place.

The install process will then prompt for password and offer to encrypt the drive.

A Full install initially takes a little more space but uses it more efficiently. It also boots a little faster, allows proprietary drivers and permits updates and upgrades.

A Full install requires an 8GB minimum flash drive for Ubuntu.

Without encrypted home folder the persistent file or partition, (casper-rw), can be easily mounted and accessed on any computer using Linux.

I have had problems shutting down Persistent drives with new users added, but this does not apply to 16.04 made with mkusb.

Solution 2

New user with encrypted home in a persistent live drive

Yes it is possible to create a new user with encrypted home in a persistent live drive made with mkusb. I have done it so I know that it works. It is probably easiest if you install gnome-system-tools and use users-admin.

sudo apt install gnome-system-tools

users-admin

or start it via the graphical user interface.

Select Add to create a new user and select encrypt home folder. Otherwise the password is not really meaningful in this kind of system.

Warning: it is very important to backup the system regularly and to remember the password to the encrypted system. Otherwise you might lose your data. There is no back door.

If you keep the default user, the system will auto-login (unless you change that setting). Log out and select the new user ('tester' in the example below) and enter the password.

If you intend to remove the default user, you should make your new user an administrator, and be sure that you can run sudo. (You should not be able to remove the default user without sudo in standard Ubuntu, and if you manage to remove it anyway, your system would be crippled with no user to manage the system.)

sudo deluser ubuntu  # in standard Ubuntu (modify user name in the flavours)

Problems with Firefox and Thunderbird

It was more difficult to create a basic working Lubuntu system with a new user with encrypted home. And after further testing we found that neither Firefox nor Thunderbird works, not for the OP in Xubuntu and not for me in Lubuntu and standard Ubuntu. So I am affected too. I suspect that it is some security feature that stops the Mozilla software from working.

I installed Midori, a light-weight web browser, and it works without problems. It can be used for webmail (I tested with my gmail account). - But if it is necessary for you to use Firefox and Thunderbird, this kind of persistent live system is a dead end street.

Alternative: Installed system in a USB drive

An alternative is to make an installed system with or without encrypted disk or encrypted home if you wish - installed like into an internal drive, but into a USB drive. It is easiest to install it correctly, if you remove the internal drive from the computer, where you create it. There are some tips at the following links,

help.ubuntu.com/community/Installation/UEFI-and-BIOS

Ubuntu on a USB stick - mount options to reduce writes

Quick fix

This is a quick fix, that is not adding security against a qualified attack, but maybe it would be enough to prevent tampering by curious persons, to make your persistent live tweaks in Xubuntu 'noob-proof': move (rename) sudo and remove the gui tools to manage programs, gnome-software, update-manager and maybe software-properties-gtk.

sudo mv /usr/bin/sudo /usr/bin/opns
opns apt remove gnome-software
opns apt remove update-manager
opns apt remove software-properties-gtk

Or better, move sudo to some other name, that is more difficult to guess. The following screenshot illustrates that it works to use the 'moved sudo' command to install a program package,

opns apt install htop

10,017

garfield50

Updated on September 18, 2022

Comments

garfield50 over 1 year

I've just created the persistent live usb (using mkusb - persistence works). The problem is that there is no password and any program can be installed from terminal with root.

Is it possible to create root password in persistent live usb?
- fugitive over 7 years
  
  Check this document from Kali, it can be applied to any distro. docs.kali.org/kali-dojo/…
- Admin over 7 years
  
  @MilosM Your link doesn't mention passwords.
garfield50 over 7 years

First, thank you for your answer! I want to check a few things though: 1.) Does this mean the terminal will require password when installing new programs? (This is the main goal that I'm trying to achieve) 2.) In case that yes - is possible to make the log-in screen appear after reboot (or make this new password-protected user the only user). BTW, I'm new to Linux, sorry if I'm asking obvious things.
sudodus over 7 years

If you make the new user an administrator with sudo permissions and after that remove the default user ubuntu, the system will wait at the login screen like a normal installed system. So the user will need a password to log in and to do administration like installing programs. It is possible to make the system log in without a password, but still need a password to do administration tasks. But if you leave the default user, it is possible to do administration tasks without a password as the default user like in a normal live or persistent live system.
garfield50 over 7 years

Thanks for your detailed instructions. It worked! The only problem now though that the system does not want to logout, restart or shut down (as C.S.Cameron pointed out). I'm running xubuntu 16.04. Is there a way this can be solved - or to force it to restart/shutdown?
garfield50 over 7 years

I got it working in persistent live drive (like sudodus descriebed), but the system doesn't want to shut down now - as you said. I'm using xubuntu 16.04. Did you manage to get this shutdown working? And regarding installing a full install on USB - is it true that it runs out the USB drive (because it doesn't run from RAM as in persistent live USB) or is this a myth?
sudodus over 7 years

When I made those screenshots, I tested standard Ubuntu 16.04.1 LTS (as you can see). I still have that system in a Sandisk Extreme pendrive, and it shuts down nicely. Did you install from 16.04 LTS (the original version)? Several bugs are squashed between 16.04 and 16.04.1 (the first point release). If you installed 16.04.1 LTS, the difference is probably due to the difference between standard Ubuntu and Xubuntu. Please tell me exactly which iso file you used (the file name), and I can try to help you find a solution or workaround.
sudodus over 7 years

You can make a soft shutdown with the key sequece SysRq r e i s u o and a soft reboot with SysRq r e i s u b. Usually you get SysRq with Alt + PrintScreen. See this link: en.wikipedia.org/wiki/Magic_SysRq_key
garfield50 over 7 years

Sorry, it is actually 16.04.1. I've used xubuntu-16.04.1-desktop-amd64.iso. I'll try the so SysRq right now.
sudodus over 7 years

It is getting late here, so tomorrow I can try lubuntu-16.04.1-desktop-amd64.iso. Maybe it will shutdown nicely.
garfield50 over 7 years

Oh, thank you! I running xubuntu (not lubuntu, but maybe it'll be the same). SysRq works as you said. The normal shut down still doesn't. What is more Firefox and Thunderbird somehow doesn't work - which is strange. They give "Mozilla Crash reporter - We're Sorry" and system warning "Failed to execute default Web Browser. Input/output error." The third annoyance is that after i log in with the password, the background appears and after 2min panels load. Do you think this is due to the encryption of new user home? I'm using Lexar USB3.0 16G drive in USB3 port. I'll clean install OS and report.
garfield50 over 7 years

A clean install (persistence with mkusb) didn't help. I tryed to make a few more users with different configurations though. I found out that if the i check "Encrypt home folder" these the problems with long login, Firefox&Thunderbird and restart/shutdown appear.
sudodus over 7 years

The boot and login will be slower with slow USB drive. It is important to have a fast USB 3 drive. The persistence will make things slower, And the encryption will probably make things slower, but depends more on the processor's capacity than on the read speed. Using a light-weight system can compensate for these slowdowns. This is why it is worthwhile to try Lubuntu.
garfield50 over 7 years

The speed is not the problem - the thing is it doesn't work. If the new user has "Encrypted home" the Firefox and Thunderbird doesn't start and the system won't shut down properly. I the new user has "Administrative privileges" the new programs fail to install (I've just found while testing). So as for now, I still can't see how to make a working persistent usb to request a password for admin tasks. Maybe there is a way to change the password of Live user and make it request it every time?
sudodus over 7 years

Today I made another persistent live system. It was more difficult to create a basic working Lubuntu system with a new user with encrypted home. But after further testing I found that neither Firefox nor Thunderbird works, not in Lubuntu and not in standard Ubuntu. So I am affected too. I installed Midori (a light-weight web browser), and it works without problems. It can be used for webmail (I tested with my gmail accound). - But if it is necessary for you to use Firefox and Thunderbird, this kind of persistent live system is a dead end street.
sudodus over 7 years

Maybe you can try to make an installed system (with encrypted disk or encrypted home if you wish) - like installed into an internal drive, but into a USB drive. It is easiest to install it correctly, if you remove the internal drive from the computer, where you create it.
garfield50 over 7 years

You see, actually I don't care much for the encryption, i just wanted to have a persistent usb, that would require password for administrative tasks. To make a persistent system (from running partly from ram) more secure. Still haven't found a solution for this though. Thanks for your help, I'll sign your answer as correct, because you provided so many information and a working alternative. I'm still looking for workaround in persistent usb - if you manage to come by solution it would be greatly received! :)
sudodus over 7 years

I don't know how to make it work with password for the default user in a live or persistent live system. It bypasses my attempts. But I can suggest a quick fix, that is not really adding security against a qualified attack, but maybe it would be enough to prevent tampering by curious persons, to make your persistent live tweaks 'noob-proof': move (rename) sudo and remove the gui tool to install programs, 'gnome-software'. sudo mv /usr/bin/sudo /usr/bin/odus or better, move sudo to some other name, that is more difficult to guess.
Meninx - メネンックス over 7 years

I think I ended up putting an icon on my desktop to shut down the computer, see askubuntu.com/questions/582675/shutdown-persistent-usb-insta‌ll I recall the answer given did not work. A typical flash drive is good for a minimum 10000 writes, doing the math for a 32GB USB3 drive, at 50MB/s it takes 10.7 minutes to do one complete write or 44 work weeks working full time to do 10000 writes. I have several drives I have been using for over 10 years, (but not full time).