grub-live - boot an existing Host OS or VM into Live Mode
The grub-live package offers an additional "LIVE mode" boot menu entry for the GNU GRUB boot loader. This package is compatible with many Linux distributions, including Debian and Ubuntu. In Kicksecure and Whonix it is installed by default. Grub-live can be applied for a host operating system (OS) as well as for a guest OS on a virtual machine.
grub-live is compatible and tested with Debian, Kicksecure and Whonix. In Kicksecure and Whonix it is installed by default. It should also without any problems run on Ubuntu and other Linux distributions which implement Debian live boot. But due to little user adoption and testing at this point in time grub-live for those distributions is still labelled untested.
Installation / Getting started
The grub-live package is hosted under the grub-live GitHub repository. There you will also find the installation guide.
After the installation you can instantly use the Live Mode in your operating system. Simply boot/reboot your system and choose the new "LIVE mode" option in the boot menu. For Kicksecure specifically read: Detaillled documentation for using the live mode for Kicksecure.
If you have installed grub-live and you want the "LIVE mode" option to be the default selected option in your grub menu please follow the instructions below. Be aware however that due to little user adoption and testing yet this options is still labelled untested.
1. Do a grub-live package installation check
By default the
grub-live package is installed in Kicksecure. If you boot your system and a boot menu entry "LIVE mode" is already avaialble, then
grub-live is already installed.
Alternatively you can make sure the package
grub-live package is installed. The following command can be used to check on the command line if the package is already installed by default.
dpkg -l | grep grub-live
2. Set LIVE mode as default boot menu entry
There are 2 ways to accomplish this. Choose one ot these options
Option (A) - symlink method
- Advantage: This is easier because updates to grub-live will be automatically applied.
- Disadvantage: There will be a duplicate live boot menu entry.
- Copy and execute the following command
sudo ln -s /etc/grub.d/11_linux_live /etc/grub.d/09_linux_live
Option (B) - moving method
- Advantage: No duplicate live boot menu entry.
- Disadvantage: Updates to grub-live will NOT be automatically applied.
- Copy and execute the following command
sudo mv /etc/grub.d/11_linux_live /etc/grub.d/09_linux_live
3. Re-generate grub boot menu
The grub boot menu needs to be regenerated for the changes to be applied. Copy and execute the following command
The process of changing from "live mode opt-in through boot grub menu" to "live boot by default" has been completed.
If in step 2 "option (B)" was chosen then this process might need to be repeated from time to time if there have been updates to GRUB or to your system. The need to repeat this process from step 1 to step 4 will be indicated as soon as the "LIVE mode" entry will not be the default entry in the GRUB boot menu anymore.
If in step 3 "option (A)" was chosen then this step is not needed. Updates will be applied automatically.
Get GRUB to remember your last choice (e. g. Live mode)
If you don't want to set Live Mode as your permanent default boot option but still want the comfort of having GRUB remember your last choice, e. g. "Live mode", then follow these instructions. 
1. Open file
/etc/default/grub.d/50_user.conf in an editor with root rights.
Kicksecure for Qubes
NOTE: When using Kicksecure for Qubes, this needs to be done inside the Template.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
2. Now add those two lines to this file: GRUB_DEFAULT=saved GRUB_SAVEDEFAULT=true
3. Finally execute this command: sudo update-grub
Your boot menu now remembers your last choice.
Alternative to grub-live
As an alternative to grub-live it is also possible to automatically detect
if the disk is set to read-only and enable live mode automatically using the
ro-mode-init package. Read
VM Live Mode - Alternative ro-mode-init Configuration
for further instructions.
ro-mode-init is currently less tested than
Comparison between grub-live and Tails
Tails is its own operating system whereas grub-live is a package enabling Live Mode on different Linux distributions. The following table will show advantages and disadvantages of grub-live in regard to Tails. It shall be noted however that whereas Tails is optimized in regard to Live mode grub-live is vastly more compatible with other systems.
Table: Comparison of grub-live and Tails
|Aspect||grub-live on the host  /
grub-default-live on the host
|Tails DVD only||Tails USB / DVD, with persistent USB||Tails read-only medium all other writable disks unplugged  |
|Common  mode of operation||Yes||Yes||Yes||No |
|Amnesic / protects against disk modifications ||Yes||Yes||Yes||Yes|
|Protects against malware persistence on hard drive after malware compromise||No ||No ||No ||Yes |
|Protects against firmware trojans after malware compromise||No ||No ||No ||No |
|Avoid writing to arbitrary (non-boot) host disks||?||Yes ||Yes ||Yes |
|Disables removable drives auto-mounting||No||Yes  ||Yes ||Yes |
|Disabled virtual machine shared folders||No ||?||?||?|
|Wipe RAM on shutdown||No, but see ram-wipe. ||Yes, but with limitations. ||Yes, but with limitations. ||Yes, but with limitations. |
|Wipe video RAM on shutdown||No ||No ||No ||No |
|Emergency shutdown on USB removal||No||Yes||Yes||Yes|
|Live Mode Usability ||Average ||Good ||Good ||Good |
|Live Mode Indicator||For Xfce only. Not yet documented. ||Unneeded||Unneeded||Unneeded|
|Unified Amnesic + Anonymous User Experience||No ||Yes||Yes||Yes|
|Easy standard ("everyday") upgrades ||Yes||?||?||?|
|Release upgrades  possible anytime ||Yes||No ||No ||No |
|Live boot by default||
|Persistent boot by default||
|Full disk encryption compatibility||Yes||No||No||No|
|Encrypted persistence supported||Yes||Yes ||Yes ||Yes |
Here are some problems you might encounter and their possible solutions.
Live Check Systray Issues
The live mode is indicated by a Live Check Systray icon. I can happen that this icon has an issues. If so here's what you can do.
First of all this is NOT an indication of compromise by malware. The real issue is as simple as: The Live Check Systray is broken.
- 1) As mentioned in chapter Combine Kicksecure ™ Live VMs with Read-only Mode for Virtual Hard Drives chapter VirtualBox.
- 2) https://forums.kicksecure.com/t/livecheck-sh-script-broken-on-bookworm/269
If not an already known issue, please follow these steps:
1. Is livecheck.sh showing an error?
If livecheck is showing an error it might be the following issue. Live check runs command
sudo --non-interactive /bin/lsblk --noheadings --all --raw --output RO as the current unprivileged user. You can test this for yourself with the following command. If this is working then this is NOT the issue
sudo --non-interactive /bin/lsblk --noheadings --all --raw --output RO
If this is not working the problem might be that this will only work by default for the user
user, no other user. For example it will not work by default for the Linux user account
user2 or any other than
If the problem is that a user other than
user is the logged in subject then
- option (A) the current user - for example
user2- needs an exception in
/etc/sudoers.d. For comparison see file
- option (B) the current user - for example
user2- needs to be or become a member of any of the following Linux user groups:
2. Try lsblk
If the above method does not work try also this:
sudo /bin/lsblk --all
3. If nothing works, report the bug
If you are still having issues you can report a bug with the output from above two
lsblk commands included from above.
Technical Details of livecheck.sh
This chapter is for advanced users only.
Most users can skip this chapter. See livecheck.sh for further script details.
- The meaning of
- The meaning of
If anything in coloumn
RO is set to
0, then it is not blessed read-only hard drive mode.
lsblk without any
snapd installed, Kicksecure, live mode, and read-only hard drive mode enabled.
sudo lsblk --all
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 100G 1 disk └─sda1 8:1 0 100G 1 part /lib/live/mount/medium
lsblk without any
snapd installed, Kicksecure, live mode, and read-only hard drive mode disabled.
sudo lsblk --all
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 100G 0 disk └─sda1 8:1 0 100G 0 part /lib/live/mount/medium
WickrMe installed, Kicksecure, persistent mode, and read-only hard drive mode disabled.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 62.1M 1 loop /snap/gtk-common-themes/1506 loop1 7:1 0 446M 1 loop /snap/wickrme/352 loop2 7:2 0 55M 1 loop /snap/core18/1754 sda 8:0 0 100G 0 disk └─sda1 8:1 0 100G 0 part /lib/live/mount/medium sr0 11:0 1 1024M 0 rom
Users can skip this chapter and below.
Porting grub-live to other Linux Distributions
Might be rather simple in comparison to other packages.
grub-live should already be compatible with any Debian based distribution as mentioned on top of this wiki page. Testing is very limited.
- That would require packaging grub-live for Fedora.
- Or as a first step copying over the config files.
What grub-live technically in essence does:
- 1) The grub-live is just shipping 1 grub config file
- 2) Pull required dependencies in
- 3) Postinst runs: "
- Based on this askubuntu answer.
grub-liveoutside of a virtual machine. For
grub-livein a VM, see Live Mode.
- Assuming Tails on a DVD which can only be written to once, not DVD-RW.
- Or Using Tails USB with physical, active and effective (non-circumventable by software) write protection switch enabled.
- As in a substantial user group willing and able to do this.
- This would be a prudent approach but search engines indicate that no or very few users run this configuration.
- Excluding malware compromise.
- Once targeted malware is active it can circumvent read-only settings, mount the harddrive, and add malware which becomes active after next boot.
Tails takes care not to use any filesystem that might exist on the host machine hard drive, unless explicitly told to do so by the user. The Debian Live persistence feature is disabled by passing
nopersistenceover the kernel command line to live-boot.
Removable drives auto-mounting is disabled in Tails 0.7 and newer.
- https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults contains a configuration for GNOME only. This is reasonable in the Tails context since its default desktop is GNOME and others are unsupported.
- Considered a feature or bug?
amnesiacould depend on both
wiperamto simplify live boot for users.
- The user being aware of currently running in live mode vs persistent mode.
- Without Live Mode Indicator (see below) it is not obvious to the user if they booted into persistent or live mode. This might lead to a mistake where live boot is not selected from the grub boot menu (persistent mode is instead set), but the user believes otherwise.
- Consistently good because amnesia has always has been a core Tails feature. It is obvious to the user that nothing persists except folders that have selective persistence enabled.
- Kicksecure is primarily run inside virtualizers.
grub-liveis an extra configuration step on the user's host.
- Using standard package managers such as
- Such as from Debian
- Release upgrade of Tails from lets say Debian
busteris a non-trivial development effort. See also: https://tails.boum.org/doc/upgrade/
- Persistent boot is the default option in grub boot menu.