Live USB with encrypted persistent volume

HI,

I did some research online but couldn’t find any answer.
Is there a method to create a LIVE USB with a LUKS-encrypted persistent copy-on-write volume that can be decrypted and mounted at boot?

Thanks

It depends on what you are looking for.

I am updating openSUSE on a USB external drive right now. And it uses LUKS encryption.

I just installed the usual way. I booted the installer, then plugged in the USB drive while it was still booting.

I used the expert partitioner to choose the partitions that I want on the USB drive.

The only tricky part was the boot setup. And what made that tricky is that I wanted to be able to use this USB drive on both legacy and UEFI systems. During partitioning, I did set up an EFI partition to be mounted at “/boot/efi”. But I installed for legacy booting. I later added support for UEFI booting with

shim-install --removable

Thanks for your reply.
Maybe I need to better clarify what I want.

I simply wish to have an instance of Leap on a portable USB and the persistent filesystem should be encrypted. So when I boot from USB, i get prompted to decrypt the persistent volume and then Leap can boot from USB normally.

Thanks for your reply.
Maybe I should clarify what I want.

I wish to have an instance of Leap on a live USB and the persistent filesystem should be encrypted.

So that when I boot from USB, I get prompted to decrypt the cow volume and then Leap can boot normally.

The way that a live USB normally works, the live system is on read-only storage. During startup, a persistent file system is configured on unused space on the USB, and an overlay is setup so that anything you write is written to the persistent file system.

That’s all setup during boot, with a lot of the code that does it inside the “initrd”. To change that to use crypto, you would have a lot of work to do. I have never tried that, and I doubt that it is worth the effort.

What I suggested was to instead just do a normal install (with crypto) to the USB. That’s a lot more straightforward.

I suspected It wasn’t something straightforward, so you confirmed that.
I’ll just proceed with the normal crypto install on the USB drive.

Thank you for your reply, I appreciated your explanation! :slight_smile:

C.