Did you ever want your own Debian Live CD with additional programs such as tor for secure downloads, debcheckroot for verifying against rootkits, gnupg with card support, cdrskin and genisoimage for burning CDs, grub2 for resolving boot problems, flashrom for reading, verifying and flashing your BIOS, filezilla for secure web uploads, virt-manager to boot Tails or Whonix via qemu-kvm or simply some better editor for programming? The good thing about this solution is that you do not have to generate a new iso whenever you want to update your base system. You can still boot your ro-USB-stick or your SDCard securely in read only mode! Add extensions of your own desire when you are offline from a Debian blue ray.
Please sign our Contributor License Agreement if you want to contribute code. Otherwise we can not assimilate and re-distribute your changes here at elstel.org
how it works
The idea about it is to create a DOS partition table with parted or fdisk on your SD-card. The first partition needs to be big enough for the Debian Live iso. A DVD has no more than 4.5GB but for Debian Live 3GB should be sufficient. You can download and simply copy the iso with dd into the first partition and then install the Grub bootloader. For Debian you have the choice between a strict OSS live cd and one with additional firmware which is required for graphics mode setting beyond 640x480 on some computers:
$ parted -a optimal /dev/sdx
(parted) mktable msdos
(parted) mkpart primary 0 3GB
(parted) mkpart primary 3GB 32GB
(parted) print
Disk /dev/sdx: 32,0GB
Partition Table: msdos
Number Start End Size Type File system Flags
1 512B 3000MB 3000MB primary lba
2 3001MB 32,0GB 29,0GB primary lba
(parted) quit
$ wget https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/10.1.0-live+nonfree/amd64/iso-hybrid/debian-live-10.1.0-amd64-xfce+nonfree.iso
$ dd if=debian-live-10.1.0-amd64-xfce+nonfree.iso bs=2048 of=/dev/sdx1
$ mkfs.ext3 -L data -m 0 /dev/sdx2
$ mkdir /data /debiso
$ mount /dev/sdx2 /data
$ tar -xvjf deblive-skeleton-v1.0.tar.bz2
$ cp -a deblive-v1.0/* /mnt/
$ sed -i 's#/dev/sdh#/dev/sdx#' /data/boot/prepare4grubinstall
$ /data/boot/prepare4grubinstall
$ /data/boot/cleanupaftergrubinstall
The mount points need to be called /data and /debiso because the scripts we have written for deblive reference them directly. Also the device node /dev/sdh is hardcoded in prepare4grubinstall. prepare4grub is not the correct name because it does actually install Grub on your sdcard. The author uses sdcards rather than a dozen of USB sticks because they are easier to store, to carry and last but not least they have the read-only feature for security if your sdcard reader supports it. The boot menu is stored in /data/boot/grub/grub.cfg. Such a template file can be created with grub-mkconfig >file. Some Wikipedia articles claim that the read only features of sdcards would be implemented in software. This is not true as it is enforced by the reader which is hardware. We have also asked our hardware manufacturer and he has asserted us that there is no way to circumvent the read-only protection of his reader.
$ mount /dev/sr0 /debiso
$ cd /data/pkginst
$ ./cpy-here
$ ./cpy-here-virt-manager
Finally you need to copy the packages you wanna extend your Debian Live with from a Debian Blue Ray of the same release which is 10.1.0 here. The blue ray can be found at https://cdimage.debian.org/debian-cd/10.1.0/amd64/jigdo-dlbd/. You will also need the jigdo tool from http://atterer.org/jigdo/ (http://atterer.org/sites/atterer/files/2009-08/jigdo/jigdo-bin-0.7.3.tar.bz2) to download the blue ray with jigdo-lite xy.jigdo. To have such a blue ray is also necessary for running an offline computer. For best security of an offline computer always carry the solid state disk you installed on with you. This prevents physical access and encryption password keylogging by intelligence services. The commands from above show how to copy the required *.deb packages into the current /data directory. The second command is for virt-manager only if you want to use your deblive boot stick as Whonix host or to boot Tails via qemu-kvm. Both distros provide secure Tor access. Whonix puts the tor server and the tor client into an own virtual machine so that a cracked client does not impersonate the connection automatically because the client has only access to the server and not to the physical network you are in. We recommend Whonix-kvm and a ro-bootable grub for best security. Tails is the easier standard solution for Tor.
$ sudo su
$ mkdir /data
$ mount /dev/sda2 /data
$ cd /data/pkginst
$ ./install-utils
…
The above lines need to be typed on every boot of the live image. Add iomem=relaxed to the grub command line on boot (press 'e', edit the kernel parameters as previously seen by cat /proc/cmdline and then press [ctrl]-[x] to boot) if you want to use flashrom. Alternatively you can add an own entry to your grub.conf that supports iomem=relaxed.
Finally you will need to know the preconfigured username and password of the Debian Live CD when the screensaver pops up; they are: 'user' and 'live'.
adding your own packages
You may wonder how the cpy-here and the install-* scripts were created. You do not need to do this by hand. All you need is another computer where you have installed the same version of Debian which is likely the stable distribution. In the deblive-skeleton.tar.bz2 there is a directory called ./pydeps. There are three scripts: pydeps.py to collect all dependencies of a certain list of packages. Invoke this on the other computer where you are running Debian stable and where you have already installed the required packages via apt. Then there are notinst.py to filter currently unfulfilled dependencies. Execute this on a live stick boot. Finally createinstscripts.py is used to create an install-xy script and to extend your current cpy-here. Finally you may use uniq-unsorted.py to face out duplicate entries in an installation or copy script without destroying the install order. You may additionally create dependent inst scripts which require other inst scripts having been executed before: Specify additional files to be subtracted as command line argument to uniq-unsorted.
The scripts do not need to be updated between sub-versions like 10.1.0 and 10.2.0 as the version numbers are wildcarded automatically. When you update to a new debian-live iso just re-run cpy-here. It is recommended to only extend packages when you are offline and to reboot for productive use in read-only mode. The experimental fetchupd.py may be no exception: fetch the updates on a usb hard disk and copy them on a clean rw-reboot onto the stick. You should not ultimately trust individual online package downloads. However they may be needed for a Whonix host if there is a known security issue with qemu-kvm. fetchupd.py does not have a full fledged dependency analysis and it may break depdencies when trying to update. It may work for small updates though. Otherwise better wait for the next sub-release of Debian.
deblive and direct usage of Tor
After installing Tor with ./install-utils you need to edit /etc/tor/torrc. You may ./install-gedit if you do not want to use vi. Unocmment the "RunAsDeamon 1"
line and optionally also the "Log notice file /var/log/tor/notices.log"
line. Then run /sbin/tor directly to start the server and prepend torsocks before every command that should use tor rather than a direct internet connection.