/boot partition on usb stick

Hi everybody :slight_smile:

Is it useful to install the /boot partition on an usb stick with write protection ? And is it possible ? If yes, how can I do this ?

Thanks a lot for your answers :slight_smile:

Yes, you can do this.
It’s come up on the forum a number of times - I think @51lieal wrote a
guide to installing with a detachable /boot.
Search the forum.

If you have already installed Qubes then you can move the unencrypted
/boot to an external USB.
Alternatively you can move /boot inside the encrypted device.

There are many things you can do - what is your aim?

3 Likes

Just guessing here, but i think this could give a security boost in a dual boot scenario, as the unencrypted boot partition is not exposed to the potentially malicious second operating system. Not bulletproof of course, but certainly better than nothing.

If USB itself is to trust to…

1 Like

Not to mention if anyone’s ever booted a Linux distro from an external USB and installed a Linux distro onto another external USB, the installer always seems to like to add files to your internal drive’s boot partition.

And Windows likes to completely destroy your UEFI boot configuration if you merely boot from the installer ISO….

Depending on BIOS capabilities internal SD card on a non-usb controller would be probably less non-secure way?

1 Like

If Qubes is already installed I would need to use gparted to move the partition right? Is there anything else that would need to be changed to allow it to boot after doing that? For me personally it would be to help protect /boot in a dual boot scenario. Thanks!

check 2.1 and 3 and 4 on :
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

instead of deleting older boot, you can copy first and set up everything in flashdrive, in case something wrong you can always quick recover.

2 Likes