Refined USB Boot: Using a Minimal "Hardware Key" for Encrypted /boot and Detached Headers

Community Guides
1

Quick Overview

For the past few months, I have been using this setup. It remains a solid choice: storing an unencrypted /boot and a detached LUKS header on a USB drive keeps the internal disk encrypted without metadata.

However, it has some friction. I have to manually mount /boot before updating dom0 and remember to unmount it before rebooting or restarting sys-usb (e.g., during a template upgrade) to prevent the system from hanging.

Another setup makes /boot both encrypted and detached (stored on the USB). This also requires the drive to be present and mounted during dom0 updates.

I have successfully implemented an alternative setup with the following benefits:

  • The drive only contains the EFI binary and headers. Only ~30MB in my case.
  • The boot partition is stored encrypted on the internal disk.
  • dom0 can be updated without the USB drive.
  • The drive only needs to be updated if you change your GRUB config or LUKS headers.
  • Use a single USB drive for multiple machines.
  • Potentially simplifies enabling Secure Boot (unverified).

Explanation

The OS is installed “normally” into an encrypted LUKS partition that includes /boot. We then create a USB drive containing only the GRUB EFI files and the detached LUKS header. Upon booting, GRUB (on the USB) unlocks the internal LUKS2 partition using the detached header, locates the internal /boot, and hands over the boot process.

Prerequisites

This guide assumes Qubes is already installed, preferably with a detached header.

If you use Argon2 in the LUKS2 partition, a recent version of GRUB is needed. Note that it doesn’t need to be installed to dom0.

It is high recommended to get yourself familiar with the two setups mentioned above, as well as the basic info in Arch Wiki.

High-Level How-To

  • Define /boot location. It should be inside a LUKS partition. Since GRUB does not yet support LVM thin provisioning, ensure your /boot resides on a standard LVM logical volume or a dedicated partition. In particular, /boot can be just a normal folder in /, if / is supported by GRUB.
  • If your /boot is currently detached or unencrypted, move those files to the internal location defined in the previous step.
  • Write a minimal grub.cfg that:
    • Install necessary modules
    • Use cryptomount to unlock the LUKS partition using the header file on the USB.
    • Use configfile to hand over to the primary grub.cfg inside the now-unlocked LUKS partition.
  • Use grub-mkstandalone to create an EFI binary and copy it to the USB EFI partition. Copy your header file to the USB, ensuring the path matches your grub.cfg.
  • Register the EFI entry using efibootmgr and adjust your BIOS/UEFI boot order as needed.
  • (Optional) To avoid entering your password twice, embed a LUKS keyfile into the initramfs in dom0. Because /boot is now encrypted, the initramfs remains secure. Note that the kernel does not “inherit” the unlocked state from GRUB, so it still needs credentials to unlock the partition again.

Multiple Machines

A single USB drive can support multiple machines. Store all relevant header files on the drive and modify the USB’s grub.cfg to identify the machine’s UUID via smbios. This allows GRUB to dynamically determine which header and partition to use.

Secure Boot (Not Verified)

With this setup, you can sign the GRUB EFI binary once. You only need to repeat this if you update GRUB or its configuration; you don’t need to sign every kernel update. While this isn’t a full hardware-to-kernel “root of trust,” it is a convenient way to keep Secure Boot enabled for compatibility with other operating systems.

Update: I’ve added a guide for dual boot and Secure Boot.

3 Likes