Host Live Mode: Boot existing Host Operating System into Live Mode

VM Live Mode | Host Live Mode | Kicksecure ™ on USB |
Users can optionally run Kicksecure ™ as a live system. FREE Either by using:
- VM Live Mode, or
- Host Live Mode (this page).
This is only available for Debian / Kicksecure based hosts and perhaps their derivatives.
One of the primary objectives of Host Live Mode is preventing malware from gaining persistence and having an unchanged system after reboot. This is also useful for improved storage device privacy as well as experimental changes like testing software.
If you are interested in installation of Kicksecure ™ on USB, see Kicksecure ™ on USB.
Introduction[edit]
A persistent malware compromise after reboot would require targeted [1] malware which gains super user (root) access to re-mount the disk for write access.
It is recommended to regularly boot into persistent mode for installation of updates.
There are two choices:
grub-live
: Boots into persistent mode by default. The grub boot menu has an option to boot into live mode.grub-default-live
setting: Boots into live mode by default. The grub boot menu has an option to boot into persistent mode.
This is also a useful tool for better privacy on the hard drive, as well as experimental changes like testing software.
Installation[edit]
Kicksecure ™ VM users: this procedure is unnecessary because the
grub-live
software package is installed by default in Kicksecure ™ -- see VM Live Mode.
For operating systems other than Kicksecure ™ (or Kicksecure ™ based operating systems such as Whonix ™), please press on expand on the right.
1. Download the Signing Key.
2. Optional: Check the Signing Key for better security.
3. Add Kicksecure ™ signing key.
4. Kicksecure ™ APT repository choices.
Optional: See Kicksecure ™ Packages for Debian Hosts and Kicksecure ™ Host Enhancements instead of the next step for more secure and complex options.
5. Add Kicksecure ™ APT repository.
6. Update the package lists.
7. Install grub-live
.
Figure: Persistent Mode Boot
Figure: Live Mode Boot
After reboot a new live mode
entry will appear in the grub boot menu.
Instructions[edit]
1. Shut down Kicksecure ™.
2. Power on Kicksecure ™.
3. During the grub boot menu wait until you see the following.
Develop a very basic understand of the following screenshot. Consider the explanation below. Expected time requirement: 1 - 3 minutes.
Figure: Persistent Mode Boot
The following screenshot shows 4 boot options in the boot menu.
Kicksecure GNU/Linux
Advanced options for Kicksecure GNU/Linux
Kicksecure Live-mode GNU/Linux
Advanced options forKicksecure Live-mode GNU/Linux
The in the first option indicates that this is the currently selected boot option.
The white text color on the blue background further indicates the currently selected boot option. Other boot options currently unselected have light blue text color.
This is also illustrated by the first option with the
Kicksecure GNU/Linux
also being written in white color instead of light blue color.
4. Use the arrow key on the keyboard to switch to live mode.
Figure: Live Mode Boot
5. Press enter.
6. Done.
The system is booting into live mode.
Functionality Test[edit]
Create a new file in your home directory then reboot (assuming you were already booted in the live mode from the boot menu) then restart the computer. You should not see that file anymore.
Comparison[edit]
Table: Comparison of grub-live and Tails
Aspect | grub-live on the host [2] / grub-default-live on the host |
Tails DVD only | Tails USB / DVD, with persistent USB | Tails read-only medium all other writable disks unplugged [3] [4] |
---|---|---|---|---|
Common [5] mode of operation | Yes | Yes | Yes | No [6] |
Amnesic / protects against disk modifications [7] | Yes | Yes | Yes | Yes |
Protects against malware persistence on hard drive after malware compromise | No [8] | No [8] | No [8] | Yes [8] |
Protects against firmware trojans after malware compromise | No [8] | No [8] | No [8] | No [8] |
Avoid writing to any host disks | ? | Yes [9] | Yes [9] | Yes [9] |
Disables removable drives auto-mounting | No | Yes [10] [11] | Yes [10] | Yes [10] |
Disables swap | ? | Yes | Yes | Yes |
Disabled virtual machine shared folders | No [12] | ? | ? | ? |
Wipe RAM on shutdown | No [13] | Yes, but with limitations. [14] | Yes, but with limitations. [14] | Yes, but with limitations. [14] |
Wipe video RAM on shutdown | No [15] | No [16] | No [16] | No [16] |
Emergency shutdown on USB removal | No | Yes | Yes | Yes |
Live Mode Usability [17] | Average [18] | Good [19] | Good [19] | Good [19] |
Live Mode Indicator | For Xfce only. Not yet documented. [20] | Unneeded | Unneeded | Unneeded |
Unified Amnesic + Anonymous User Experience | No [21] | Yes | Yes | Yes |
Easy standard ("everyday") upgrades [22] | Yes | ? | ? | ? |
Release upgrades [23] possible anytime [22] | Yes | No [24] | No [24] | No [24] |
Live boot by default |
|
Yes | Yes | Yes |
Persistent boot by default |
|
No | No | No |
Full disk encryption compatibility | Yes | No | No | No |
Encrypted persistence supported | Yes | Yes [26] | Yes [26] | Yes [26] |
Forum Discussion[edit]
See: Whonix live mode / amnesia / amnesic / non-persistent / anti-forensics
Footnotes[edit]
- ↑ Re-mounting the disk for write access is not yet a default feature available to off-the-shelf malware; no such reports have come to our attention.
- ↑ Meaning,
grub-live
outside of a virtual machine. Forgrub-live
in a VM, see VM Live Mode. - ↑ Assuming Tails on a DVD which can only be written to once, not DVD-RW.
- ↑ Or Using Tails USB with physical, active and effective (non-circumventable by software) write protection switch enabled.
- ↑ As in a substantial user group willing and able to do this.
- ↑ This would be a prudent approach but search engines indicate that no or very few users run this configuration.
- ↑ Excluding malware compromise.
- ↑ 8.0 8.1 8.2 8.3 8.4 8.5 8.6 8.7 Once targeted malware is active it can circumvent read-only settings, mount the harddrive, and add malware which becomes active after next boot.
- ↑ 9.0 9.1 9.2
Quote https://tails.boum.org/contribute/design/
Tails takes care not to use any filesystem that might exist on the host machine hard drive, unless explicitly told to do so by the user. The Debian Live persistence feature is disabled by passing
nopersistence
over the kernel command line to live-boot. - ↑ 10.0 10.1 10.2
Quote https://tails.boum.org/contribute/design/
Removable drives auto-mounting is disabled in Tails 0.7 and newer.
https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults
- ↑
https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults
contains a configuration for GNOME only. This is reasonable in the Tails context since its default desktop is GNOME and others are unsupported.
- ↑ Considered a feature or bug?
- ↑
It might be possible to create a separate package
wiperam
.- https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix/5596
- https://github.com/QubesOS/qubes-issues/issues/1562
amnesia
could depend on bothgrub-live
andwiperam
to simplify live boot for users. - https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix/5596
- ↑ 14.0 14.1 14.2 https://tails.boum.org/contribute/design/memory_erasure/
- ↑
https://github.com/QubesOS/qubes-issues/issues/1563
- ↑ 16.0 16.1 16.2 https://redmine.tails.boum.org/code/issues/5356
- ↑ The user being aware of currently running in live mode vs persistent mode.
- ↑ Without Live Mode Indicator (see below) it is not obvious to the user if they booted into persistent or live mode. This might lead to a mistake where live boot is not selected from the grub boot menu (persistent mode is instead set), but the user believes otherwise.
- ↑ 19.0 19.1 19.2 Consistently good because amnesia has always has been a core Tails feature. It is obvious to the user that nothing persists except folders that have selective persistence enabled.
- ↑
https://github.com/Kicksecure/desktop-config-dist
- ↑ Kicksecure ™ is primarily run inside virtualizers.
grub-live
is an extra configuration step on the user's host. - ↑ 22.0 22.1 Using standard package managers such as
apt
. - ↑ Such as from Debian
stretch
to Debianbuster
. - ↑ 24.0 24.1 24.2 Release upgrade of Tails from lets say Debian
stretch
to Debianbuster
is a non-trivial development effort. See also: https://tails.boum.org/doc/first_steps/upgrade/index.en.html - ↑ 25.0 25.1 Persistent boot is the default option in grub boot menu.
- ↑ 26.0 26.1 26.2 https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html
Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.