How to move your /boot partition onto removable media.

Part of every traveler's threat model today should include the following scenario: When you're trying to fly into or out of an airport en route to someplace else, it is entirely possible that the airport's security staff will take you aside for a more thorough search and questioning while your stuff is taken someplace out of your control and analyzed. We know that there are malware packages available today that boobytrap the boot device of laptop computers to install various forms of surveillance malware which run the next time you start your machine up and compromise the OS even though you may have locked it down to prevent live attacks. That the malware may capture the passphrase used to unlock an encrypted hard drives in the computer is an additional kick in the pants that one must be prepared to dodge. Here's one way to mitigate this threat, which involves the use of a USB key that you work to keep out of the clutches of others at all times.Here's what I've got to work with:

• A laptop computer running Arch Linux
• /boot is on its own partition
• The rest of the drive is encrypted with LUKS
• I'm using SYSLINUX as my boot loader
• I have a tiny USB key that I carry on my person at all times (let's say it's this one)

The first thing I did was partition and format the USB key so that it looks like this: [drwho@windbringer ~]$ sudo fdisk -l /dev/sdb Disk /dev/sdb: 7.3 GiB, 7862353920 bytes, 15356160 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xefb32997 Device Boot Start End Blocks Id System /dev/sdb1 * 2048 4196351 2097152 83 Linux /dev/sdb2 4196352 15356159 5579904 83 Linux I formatted the first partition with the EXT4 file system because that's what I'm using on all of my Linux machines these days. After mounting the USB key on Windbringer I copied everything on the /boot partition onto it: sudo cp -rv /boot/* /media/USB I then mounted my USB key in place of the /boot partition so I could install the boot loader: sudo umount /boot sudo umount /media/USB sudo mount /dev/sdb1 /boot Now to install the boot loader on my USB key. I use SYSLINUX (they spell it in all caps so I'll do the same) because GRUB2 pisses me off to no end these days, so this was actually quite straightforward: sudo syslinux-install_update -i -a -m SYSLINUX requires that a configuration file syslinux/syslinux.cfg exist on the boot device to tell it where to find the boot files. I copied the one generated for me when I installed Arch Linux on this laptop, quoted here for the curious: UI menu.c32 PROMPT 1 MENU MASTER PASSWD nevergonnagiveyouupnevergonnaletyoudown MENU TITLE Boot Menu TIMEOUT 30 DEFAULT linux LABEL linux MENU LABEL Primary Kernel LINUX vmlinuz-linux INITRD initramfs-linux.img APPEND root=/dev/mapper/root cryptdevice=/dev/sda2:root rw LABEL fallback MENU LABEL Fallback Kernel LINUX vmlinuz-linux INITRD initramfs-linux-fallback.img APPEND root=/dev/mapper/root cryptdevice=/dev/sda2:root rw That's really all there is to it. To use it, before powering on your laptop plug the USB key in. After hitting the power button, hit whatever key combination that will cause your laptop to prompt you for the device to boot from. For me it's F12 but your mileage will probably differ. Select your USB key, and when prompted enter the passphrase to unlock your hard drive. After you boot, disconnect your USB key and put it away. If you can help it, never let it out of your sight. Wear it around your neck on a chain or something. Remember that you'll have to update your USB key by recopying the contents of /boot to your USB key whenever you install updates that involve your system's kernel. If you're extra paranoid, you may wish to set the immutable extended file system a