[PLUG] Boot Zotac from flash drive

Keith Lofstrom keithl at gate.kl-ic.com
Fri Jan 30 20:34:43 UTC 2015 

On Wed, Jan 28, 2015 at 04:53:01PM -0800, jim karlock wrote:
> Is there some way to completely hide one instance of Ubuntu from the 
> other for security: I want one for secure banking and the other for 
> general use. A superficial test shows that the general use instance 
> can see the file structure of the entire drive, but cannot get into 
> the other's files without the password. I feel more secure if it were 
> not visible (except as a boot choice at boot time.)

The Zotac has a sufficiency of USB3 ports.   You can get a
16GB USB3 flash drive for around $25, and install a bootable
copy of Ubuntu on that USB3 drive for your secure instance.
Air gap security.

USB flash drives are not big, but they have plenty of room
for a minimal distro and a browser.

I would do it this way:

0) Set the Zotac BIOS boot priority order so "USB HDD" comes first.

1) Put the Ubuntu install "dvd" iso on a cheaper USB2 flash drive,
use that for installation or reinstallation.  Since the Zotac needs
an external drive of some sort for install, a flash drive is much
quicker and more robust, and a suitable 4GB USB3 flash drive can
be found for perhaps $8 on sale at a big box store.  You will need
this for backup.

2) Buy TWO 16GB USB3 flash drives.  One will be your working drive,
and the other will be your backup drive.  

3) Use the install flash drive to build Ubuntu on the first 16GB
flash drive, and tweak until you like it.  If you are paranoid,
you can temporarily remove the hard drive from the Zotac when you
do this, with finger screws it only takes a minute.

4) Booted from the Ubuntu USB3 secure drive (set the boot order
in the BIOS), back it up to the other USB3 drive, inserted after
boot.  In single user mode, you can use:

   dd if=/dev/(secure-USB3drive-name) of=/dev/(backup-USB3drive-name)

To make a copy. 

 4a) This is a bit tricky - it is easy to get the USB3 drives 
 mixed up.  Be sure to boot with only one drive, and it will
 probably boot as /dev/sda , the unmounted hard drive as /dev/sdb,
 and the other flash drive as /dev/sdc (WAG).

5) When you want to use the secure drive, shut down the normal
distro and hard disk, then start up with the USB3 secure drive
inserted.  DO NOT LEAVE THE USB3 FLASH DRIVE INSERTED when the
Zotac boots from the hard drive.

----

All that said, your biggest security hole is that the BIOS on
the Zotac may be compromised, or the USB drive might be.  The
frightening security hole is that none of us knows what Intel
designed into their processor.

Keith

-- 
Keith Lofstrom          keithl at keithl.com

More information about the PLUG mailing list