Hi everybody 
Is it useful to install the /boot partition on an usb stick with write protection ? And is it possible ? If yes, how can I do this ?
Thanks a lot for your answers
Yes, you can do this.
It’s come up on the forum a number of times - I think @51lieal wrote a
guide to installing with a detachable /boot.
Search the forum.
If you have already installed Qubes then you can move the unencrypted
/boot to an external USB.
Alternatively you can move /boot inside the encrypted device.
There are many things you can do - what is your aim?
3 Likes
Just guessing here, but i think this could give a security boost in a dual boot scenario, as the unencrypted boot partition is not exposed to the potentially malicious second operating system. Not bulletproof of course, but certainly better than nothing.
1 Like
If USB itself is to trust to…
1 Like
Not to mention if anyone’s ever booted a Linux distro from an external USB and installed a Linux distro onto another external USB, the installer always seems to like to add files to your internal drive’s boot partition.
And Windows likes to completely destroy your UEFI boot configuration if you merely boot from the installer ISO….
Depending on BIOS capabilities internal SD card on a non-usb controller would be probably less non-secure way?
1 Like
If Qubes is already installed I would need to use gparted to move the partition right? Is there anything else that would need to be changed to allow it to boot after doing that? For me personally it would be to help protect /boot in a dual boot scenario. Thanks!
check 2.1 and 3 and 4 on :
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
instead of deleting older boot, you can copy first and set up everything in flashdrive, in case something wrong you can always quick recover.
2 Likes