Adding Encrypted Persistence to a Gnoppix Live USB Drive

Gnoppix “Live” has two options in the default boot menu which enable persistence — the preservation of data on the “Gnoppix Live” USB drive — across reboots. You can choose between:

USB Persistence
USB Encrypted Persistence (this guide)

This is an extremely useful enhancement, enabling you to retain documents, collected results, configurations, and more when running Gnoppix “Live” from the USB drive, even across different systems. The persistent data is stored in its own LUKS-encrypted partition on the USB drive.

This guide assumes you have already created a Gnoppix “Live” USB drive. For the purposes of this article, we assume you are working on a Linux-based system.

You will need root privileges to do this procedure, or the ability to escalate with sudo.

While /dev/sdX is used throughout this page, replace it with the proper device label for your system. Use lsblk to verify.

0x01 - Start by imaging the Gnoppix ISO onto your USB drive.

Ours was /dev/sdX:

user@gnoppix:~$ sudo dd if=gnoppix-live-amd64.iso of=/dev/sdX conv=fsync bs=4M

Once done, inspect the USB partition structure using parted /dev/sdX print:

user@gnoppix:~$ sudo parted /dev/sdX print
Model: SanDisk Extreme (scsi)
Disk /dev/sdX: 62.7GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
 1      32.8kB  4927MB  4927MB  primary               boot, hidden
 2      4927MB  4932MB  4194kB  primary

user@gnoppix:~$

0x02 - Create and format an additional partition on the USB drive.

Create a persistent partition in the empty space above the Gnoppix Live partitions:

user@gnoppix:~$ sudo fdisk /dev/sdX <<< $(printf "p\nn\np\n\n\n\np\nw")

When fdisk completes, the new partition should be created at /dev/sdX3. Verify with lsblk /dev/sdX:

user@gnoppix:~$ lsblk /dev/sdX
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sdc      8:32   1 58.4G  0 disk
├─sdc1   8:33   1  4.6G  0 part
├─sdc2   8:34   1    4M  0 part
└─sdc3   8:35   1 53.8G  0 part
user@gnoppix:~$

0x03 - Encrypt the partition with LUKS.

user@gnoppix:~$ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdX3

WARNING!
========
This will overwrite data on /dev/sdX3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdX3:
Verify passphrase:
Existing 'ext4' superblock signature on device /dev/sdX3 will be wiped.
Key slot 0 created.
Command successful.
user@gnoppix:~$

0x04 - Open the encrypted partition.

user@gnoppix:~$ sudo cryptsetup luksOpen /dev/sdX3 my_usb
Enter passphrase for /dev/sdX3:
user@gnoppix:~$

0x05 - Create an ext4 filesystem and label it.

user@gnoppix:~$ sudo mkfs.ext4 -L persistence /dev/mapper/my_usb
mke2fs 1.47.2 (1-Jan-2025)
Creating filesystem with 14110720 4k blocks and 3530752 inodes
Filesystem UUID: aca1783a-4665-4077-b555-c748e391def1
Superblock backups stored on blocks:
  32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
  4096000, 7962624, 11239424

Allocating group tables: done
Writing inode tables: done
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done

user@gnoppix:~$

0x06 - Mount the partition and create persistence.conf.

user@gnoppix:~$ sudo mkdir -pv /mnt/my_usb
mkdir: created directory '/mnt/my_usb'
user@gnoppix:~$
user@gnoppix:~$ sudo mount -v /dev/mapper/my_usb /mnt/my_usb
mount: /dev/mapper/my_usb mounted on /mnt/my_usb.
user@gnoppix:~$
user@gnoppix:~$ echo "/ union" | sudo tee /mnt/my_usb/persistence.conf
/ union
user@gnoppix:~$
user@gnoppix:~$ sudo umount -v /mnt/my_usb
umount: /mnt/my_usb unmounted
user@gnoppix:~$

0x07 - Close the encrypted partition.

user@gnoppix:~$ sudo cryptsetup luksClose /dev/mapper/my_usb
user@gnoppix:~$

Your USB drive is now ready. Plug it in, reboot, and select “Live USB Encrypted Persistence” from the boot menu.

user@gnoppix:~$ reboot

Emergency Self Destruction of Data

As security professionals, we often travel with sensitive data. Configure a nuke password as a safety measure:

user@gnoppix:~$ sudo apt install -y cryptsetup-nuke-password
[...]
user@gnoppix:~$
user@gnoppix:~$ sudo dpkg-reconfigure cryptsetup-nuke-password
INFO: Storing the nuke password's crypted hash in /etc/cryptsetup-nuke-password/password_hash
Processing triggers for initramfs-tools (0.145) ...
update-initramfs: Generating /boot/initrd.img-6.11.2-amd64
user@gnoppix:~$

The configured nuke password is stored in the initrd and works with all encrypted partitions unlockable at boot time.

Backup LUKS keyslots

user@gnoppix:~$ sudo cryptsetup luksHeaderBackup --header-backup-file luksheader.back /dev/sdX3
user@gnoppix:~$
user@gnoppix:~$ sudo openssl enc -e -aes-256-cbc -in luksheader.back -out luksheader.back.enc
enter AES-256-CBC encryption password:
Verifying - enter AES-256-CBC encryption password:
user@gnoppix:~$
user@gnoppix:~$ ls -lh luksheader.back*
-r-------- 1 root root 16M Jun  6 07:28 luksheader.back
-rw-r--r-- 1 root root 17M Jun  6 07:29 luksheader.back.enc
user@gnoppix:~$
user@gnoppix:~$ sudo shred -v luksheader.back
shred: luksheader.back: pass 1/3 (random)...
shred: luksheader.back: pass 2/3 (random)...
shred: luksheader.back: pass 3/3 (random)...
user@gnoppix:~$

Boot into your encrypted store and provide the nuke password instead of the real decryption password. This renders all data on the encrypted store inaccessible.

Restore from backup

user@gnoppix:~$ sudo openssl enc -d -aes-256-cbc -in luksheader.back.enc -out luksheader.back
enter AES-256-CBC decryption password:
user@gnoppix:~$
user@gnoppix:~$ sudo cryptsetup luksHeaderRestore --header-backup-file luksheader.back /dev/sdX3

WARNING!
========
Device /dev/sdX3 already contains LUKS2 header. Replacing header will destroy existing keyslots.

Are you sure? (Type 'yes' in capital letters): YES
user@gnoppix:~$

Your keyslots are restored. Reboot and provide your normal LUKS password — the system is back to its original state.