Host Live Mode: Boot existing Host Operating System into Live Mode

From Kicksecure
Jump to navigation Jump to search



Live Mode Boot
VM Live Mode Host Live Mode Kicksecure ™ on USB

Users can optionally run Kicksecure ™ as a live system. FREE Either by using:

This is only available for Debian, Kicksecure and perhaps other Debian based hosts.

One of the primary objectives of Host Live Mode is preventing malware from gaining persistence and having an unchanged system after reboot. This is also useful for improved storage device privacy as well as experimental changes like testing software.

If you are interested in installation of Kicksecure ™ on USB, see Kicksecure ™ on USB.

Screenshots[edit]

Figure: Persistent Mode Boot
Grub-persistent mode indicator in debian.cleaned.png

Figure: Live Mode Boot
Grub-live mode indicator in debian.cleaned.png

Introduction[edit]

A persistent malware compromise after reboot would require targeted [1] malware which gains super user (root) access to re-mount the disk for write access.

It is recommended to regularly boot into persistent mode for installation of updates.

There are two choices:

  • grub-live: Boots into persistent mode by default. The grub boot menu has an option to boot into live mode.
  • grub-default-live setting: Boots into live mode by default. The grub boot menu has an option to boot into persistent mode.

This is also a useful tool for better privacy on the hard drive, as well as experimental changes like testing software.

Installation[edit]

Info Kicksecure ™ VM users: this procedure is unnecessary because the grub-live software package is installed by default in Kicksecure ™ -- see VM Live Mode.

1. Download the Signing Key.

wget https://www.kicksecure.com/derivative.asc

2. Optional: Check the Signing Key for better security.

3. Add Kicksecure ™ signing key.

sudo cp derivative.asc /usr/share/keyrings/derivative.asc

4. Kicksecure ™ APT repository choices.

Optional: See Kicksecure ™ Packages for Debian Hosts and Kicksecure ™ Host Enhancements instead of the next step for more secure and complex options.

5. Add Kicksecure ™ APT repository.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

6. Update the package lists.

sudo apt update

7. Install grub-live.

sudo apt install grub-live

After reboot a new live mode entry will appear in the grub boot menu.

Comparison[edit]

Table: Comparison of grub-live and Tails

Aspect grub-live on the host [2] /
grub-default-live on the host
Tails DVD only Tails USB / DVD, with persistent USB Tails read-only medium all other writable disks unplugged [3] [4]
Common [5] mode of operation Yes Yes Yes No [6]
Amnesic / protects against disk modifications [7] Yes Yes Yes Yes
Protects against malware persistence on hard drive after malware compromise No [8] No [8] No [8] Yes [8]
Protects against firmware trojans after malware compromise No [8] No [8] No [8] No [8]
Avoid writing to any host disks ? Yes [9] Yes [9] Yes [9]
Disables removable drives auto-mounting No Yes [10] [11] Yes [10] Yes [10]
Disables swap ? Yes Yes Yes
Disabled virtual machine shared folders No [12] ? ? ?
Wipe RAM on shutdown No [13] Yes, but with limitations. [14] Yes, but with limitations. [14] Yes, but with limitations. [14]
Wipe video RAM on shutdown No [15] No [16] No [16] No [16]
Emergency shutdown on USB removal No Yes Yes Yes
Live Mode Usability [17] Average [18] Good [19] Good [19] Good [19]
Live Mode Indicator For Xfce only. Not yet documented. [20] Unneeded Unneeded Unneeded
Unified Amnesic + Anonymous User Experience No [21] Yes Yes Yes
Easy standard ("everyday") upgrades [22] Yes ? ? ?
Release upgrades [23] possible anytime [22] Yes No [24] No [24] No [24]
Live boot by default
  • grub-live: No [25]
  • grub-default-live: Yes
Yes Yes Yes
Persistent boot by default
  • grub-live: Yes [25]
  • grub-default-live: No
No No No
Full disk encryption compatibility Yes No No No
Encrypted persistence supported Yes Yes [26] Yes [26] Yes [26]

Forum Discussion[edit]

See: Whonix live mode / amnesia / amnesic / non-persistent / anti-forensics

Footnotes[edit]

  1. Re-mounting the disk for write access is not yet a default feature available to off-the-shelf malware; no such reports have come to our attention.
  2. Meaning, grub-live outside of a virtual machine. For grub-live in a VM, see VM Live Mode.
  3. Assuming Tails on a DVD which can only be written to once, not DVD-RW.
  4. Or Using Tails USB with physical, active and effective (non-circumventable by software) write protection switch enabled.
  5. As in a substantial user group willing and able to do this.
  6. This would be a prudent approach but search engines indicate that no or very few users run this configuration.
  7. Excluding malware compromise.
  8. 8.0 8.1 8.2 8.3 8.4 8.5 8.6 8.7 Once targeted malware is active it can circumvent read-only settings, mount the harddrive, and add malware which becomes active after next boot.
  9. 9.0 9.1 9.2 Quote https://tails.boum.org/contribute/design/

    Tails takes care not to use any filesystem that might exist on the host machine hard drive, unless explicitly told to do so by the user. The Debian Live persistence feature is disabled by passing nopersistence over the kernel command line to live-boot.

  10. 10.0 10.1 10.2 Quote https://tails.boum.org/contribute/design/

    Removable drives auto-mounting is disabled in Tails 0.7 and newer.

    https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults

  11. https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults contains a configuration for GNOME only. This is reasonable in the Tails context since its default desktop is GNOME and others are unsupported.
  12. Considered a feature or bug?
  13. It might be possible to create a separate package wiperam. Then a meta package amnesia could depend on both grub-live and wiperam to simplify live boot for users.
  14. 14.0 14.1 14.2 https://tails.boum.org/contribute/design/memory_erasure/
  15. https://github.com/QubesOS/qubes-issues/issues/1563
  16. 16.0 16.1 16.2 https://redmine.tails.boum.org/code/issues/5356
  17. The user being aware of currently running in live mode vs persistent mode.
  18. Without Live Mode Indicator (see below) it is not obvious to the user if they booted into persistent or live mode. This might lead to a mistake where live boot is not selected from the grub boot menu (persistent mode is instead set), but the user believes otherwise.
  19. 19.0 19.1 19.2 Consistently good because amnesia has always has been a core Tails feature. It is obvious to the user that nothing persists except folders that have selective persistence enabled.
  20. https://github.com/Kicksecure/whonix-xfce-desktop-config
  21. Kicksecure ™ is primarily run inside virtualizers. grub-live is an extra configuration step on the user's host.
  22. 22.0 22.1 Using standard package managers such as apt.
  23. Such as from Debian stretch to Debian buster.
  24. 24.0 24.1 24.2 Release upgrade of Tails from lets say Debian stretch to Debian buster is a non-trivial development effort. See also: https://tails.boum.org/doc/first_steps/upgrade/index.en.html
  25. 25.0 25.1 Persistent boot is the default option in grub boot menu.
  26. 26.0 26.1 26.2 https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.


Your Advertisement Here | Investors


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Kicksecure ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Kicksecure donate bitcoin.png Monero donate Kicksecure.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png

Want to help create awesome, up-to-date screenshots for the Kicksecure ™ wiki? Help is most welcome!

Whonix Version View Edit
Kicksecure Version View Edit

https link onion link Priority Support | Investors | Professional Support

Kicksecure | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Kicksecure ™ project do not represent the project as a whole.