Your question is probably too broad for an answer of reasonable length, but here are some pointers:
You want to go with Linux. Windows doesn't like being transplanted to other machines. You'll also want to use UEFI boot, not BIOS boot. This is the most portable solution right now.
Use LUKS for full disk encryption on the root partition (/
) stored on the SSD. Place unencrypted /boot
partition on the flash drive. Your key is on the same device anyway, so there's no point in encrypting any data stored there. ESP (EFI System Partition) should also be stored on the flash drive. Install GRUB on it; it will be the boot entry point.
ESP and /boot
are elements of the boot chain, so never leave the flash drive unattended. Once it happens, you have to consider the boot chain compromised - ESP and /boot
may have been tampered. /boot
could be encrypted with additional password to prevent that, but ESP cannot be encrypted. So if you suspect flash drive could be compromised, but the SSD is in a safe location, you have to:
- Find a trusted Linux machine.
- Nuke ESP and
/boot
, then recreate them from a safe backup or rebuild from scratch.
- Generate new encryption keys and
cryptsetup-reencrypt
the SSD.
The unencrypted ESP problem could be mitigated by:
- Signing the boot files with your private key
- Password-protecting UEFI to prevent tampering with signature databases
- Updating UEFI signature databases to contain only your public key
- Enabling Secure Boot to prevent booting from unsigned binaries
- Signing kernel and initrd
- Building a standalone signed GRUB binary with embedded config and kernel signature enforcement
You can't do that, though, because you want your setup to not be limited to any physical machine.
What have you tried? Where are you stuck? What are you trying to achieve by keeping the decryption key on a separate device? – gronostaj – 2018-06-25T08:25:40.640
I don't understand what you want to achieve by using two separate devices. I suppose you want to make sure the external SSD is secure when unattended. You could have an additional flash drive acting as a hardware key which you always take with you and keep safe. But you could as well just take the SSD. Clearly I'm missing something, could you clarify your intentions? – gronostaj – 2018-06-25T08:38:52.797
Regular Windows does not support booting off USB drives. – Daniel B – 2018-06-25T09:05:52.310
Why did you remove the original question? – Dominique – 2018-06-28T07:36:37.413
Could just use any linux live USB + some encrypted data (folder or partition) – Xen2050 – 2018-06-29T23:04:44.720