Live USB with Persistence

Briefly describe your issue below:
I created the live USB with dd command then added the ext4 partition. Everything is working fine except that I don’t need to type in the password to log in, and, also, I can’t change the password for user. I am not asked to type in the password even when I install new apps, nor for sudo command in Terminal. Is that how things supposed to be?


What version of Parrot are you running? (include version, edition, and architecture)
Linux parrot 4.18.0-parrot8-amd64 #1 SMP Parrot 4.18.6-1parrot8 (2018-09-07) x86_64 GNU/Linux
What method did you use to install Parrot? (Debian Standard / Debian GTK / parrot-experimental)
dd command
Configured to multiboot with other systems? (yes / no)
no
If there are any similar issues or solutions, link to them below:

If there are any error messages or relevant logs, post them below:

For whatever reason, the Debian-Live-User account password in a LIVE install is not persistent, regardless of whether or not you have set up either a Persistence or Encrypted-Persistence partition. These Persistence and Encrypted-Persistence installations are a bit quirky until you get to know them. Even so, with a tweak here and a work-around there, ParrotSec is overall a very satisfying user experience, and a powerful, feature-loaded OS.

CAVEAT: Be certain that you selected “Persistence” and not “Live Mode” in the GRUB menu. After booting up into the Debian-Live-User account, update your package list and upgrade your virgin (.iso image) system -->> sudo apt update sudo apt full-upgrade. A full upgrade should clear out any bugs or quirks that interfere with changing passwords. If upgrading doesn’t help:

  • Download the latest version of ParrotSec, which is now 4.2.2.

  • BACK UP ALL YOUR PERSONAL FILES that are stored on your Persistence USB stick.

  • Reflash your OS USB stick using Etcher + (available from the ParrotSec downloads page).

Regardless of your boot option selection, the LIVE OS should boot from the opening (GRUB) menu into the log-on screen, where you always input the default password, “toor” (which, in any form of a Persistence use where personal files and custom settings are stored, from a security standpoint, is ridiculous (see below)). The password for the Debian-Live-User account will always be the default password “toor” until you change it either through System, Preferences, Personal, About Me, or through System, Administration, Users and Groups. For obvious reasons, change this password and start the anonymizing Tor daemon (sudo service tor start sudo service tor reload) before you go on-line. Starting the Tor daemon with these terminal commands will not force all your communications through Tor unless you start up Anon Surf. It merely cloaks your MAC and underlying IP addresses (so I’m told).

The passwords for the root account, and for any other user accounts you created in your last LIVE, Persistence or Encrypted-Persistence session, should persist.

I personally believe that the persistence of the default password for the Debian-Live-User account is ridiculous if you’ve selected either the Persistence or the Encrypted-Persistence boot options from the GRUB menu. Unless you have a partition passphrase (see below),+ anyone who finds your USB stick can access your entire system. That’s why you need the initial partition passphrase to lock up access to your partitions.

For more details on Live, Encrypted-Persistence installations see my past posts: VM software on Parrot OS, and Running Tails in a VM inside Parrot 3.11
.


+ Do you not set a Persistence partition passphrase that must be entered during boot up after you’ve selected the Persistence boot option from the GRUB menu? If not, and if you want to secure your personal files and customized system settings, you want to start all over and configure your Live USB system as an Encrypted Persistence system (see below about the non-persistence of your custom Debian Live User account password). That way, you are forced to set a passphrase for each Encrypted Persistence partition during partition setup. From then on, in order to unlock access to your Encrypted Persistence partitions, you’ll be required to enter whatever passphrase you set for that particular partition after selecting Encrypted Persistence from the GRUB menu (you can have a different passphrase for every encrypted partition if you set them up to be independent of each other). Persistence partition passphrases can be changed, but it’s a big pain in the ass. See the documentation in the old community forum.

The “dd” set up option never worked well for me. I have always used Etcher (available from ParrotSec’s download screen) to install the downloaded .iso image onto the USB stick. (Be sure to verify the SHA hash checksums of the .iso image first.) Then I set up two separate encrypted partitions on a separate USB stick; one (very generous) partition for the system settings and updates, and one partition for my personal files. That way I could reflash the OS stick with Etcher every time a new OS version was available from ParrotSec’s download page. If the new OS version would not work with my Encrypted-Persistence settings, I simply deleted the settings partition, rebuilt it, re-upgraded the newly-reflashed, virgin (.iso image) system, and reset all my customized packages and settings. As long as your personal files are stored in a separate encrypted partition, they are always safe.

So why go through all this 2 USB drive, multi-partition rigmarole? Because if you care about the security of your user experience, web-based transactions, and your personal files (again, see above), by routinely reflashing your OS USB stick with a freshly downloaded (and SHA-checksum-verified) new OS version, and, in addition, by rebuilding your encrypted settings partition, you douche out any file/data corruption, and any cleverly embedded malware/spyware (presuming that your system has somehow been penetrated or otherwise corrupted or compromised in the past). For additional security, do your web-based transactions inside of virtual machines via VPN if not via Tor, and use two-factor authentication with those web sites. If you want to retain records of your transaction confirmations, have your web-based accounts send confirmations of those transactions to a two-factor-secured email address.

2 Likes

Thanks so much for this detailed answer! I’ll re read it few more times and see what I can do about it. Your answer is mind blowing :slight_smile: And I’m glad you got this great support for Parrot Linux. Didn’t expect it. It took some time but it was more than worth of waiting. Thank you!

I went through this all and create Live USB with Etcher and the persistence on another USB drive with encrypted partition and it all worked well but the experience when I boot to encrypted persistence was extremely slow and because of that completely useless, unfortunately.

Last edited by cyberdog (2017-11-11 08:27:57)
https://community.parrotsec.org/viewtopic.php?pid=3737#p3737
[I edited the following instructions for persistent USB partitions for clarity.]

If you mess up or want to wipe the persistent partition so you can start from fresh:

Reboot your pc, and load the USB (with Parrot installed from Etcher) from boot options.

Select LIVE from the Parrot GRUB menu.

Once the desktop appears, open a terminal.

Type: sudo su

Type: gparted (or select “System Tools” -->> “Gparted” from Parrot’s “Application” menu).

Use “Device Information” from the “View” menu to select the proper USB device. DO NOT mess this up.

Find the partition labeled "persistence; if you don’t see it, recheck “Device Information” to be sure you have the correct USB device. Navigate to other devices in order to find the partition labeled “persistence”. For safety, remove any USB or other removable storage devices, EXCEPT FOR THE PARROT SYSTEM USB, until these operations are complete.

Right click on the “persistence” partition and select “Delete” to remove it from the drive, thus leaving unallocated space.

From the “Edit” menu, select “Apply All Operations”

Right click on the empty (unallocated) partition again, and select “New”.

Check the amount of drive space you want to set for the persistent partition. It takes lots of space to both add new packages, and to do a full system upgrade on these rolling Debian distros (sudo apt full-upgrade), so I recommend allocating 8-12 gigabytes.

Type: “persistence” (without quotes) in the label field.

From the “Edit” menu, select “Apply All Operations”

If you want to set up a separate persistent data partition for your personal files, repeat all the above steps for freeing up drive space (i.e., unallocated space) and setting up a new partition, except substitute the partition label “data” instead of “persistence”.

Be sure to “Apply All Operations”

Wait for Gparted to update and show your completed handiwork, and then close the Gparted app.

Now, in the terminal, type: sudo su

Next, copy and enter the following one line at a time into the terminal:

cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3 <<-- Be sure to substitute the name of YOUR partition that you previously identified above; e.g., sdc1

Cryptsetup will ask you to type YES in capitals, and then create a new passphrase for your encrypted partition. If this fails (because both entries of your passphrase did not match), repaste the above Cryptsetup command after the terminal prompt and repeat the passphrase submission.

Once the passphrase has been verified, then proceed pasting and entering the following, one line at a time:

cryptsetup luksOpen /dev/sdb3 my_usb <<-- Be sure to substitute the name of YOUR partition that you previously identified above; e.g., sdc1

<-- Enter the passphrase you set earlier when asked.

mkfs.ext4 -L persistence /dev/mapper/my_usb
e2label /dev/mapper/my_usb persistence
mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/mapper/my_usb
cryptsetup luksClose /dev/mapper/my_usb

If you want to set up a separate data partition on your persistent USB drive, repeat all the steps above, except substitute “data” for “persistence” in the following terminal command:

e2label /dev/mapper/my_usb persistence

and omit the following command from the sequence:

echo "/ union" > /mnt/my_usb/persistence.conf

Now reboot your system using the following terminal command:

reboot

Once rebooted, load the Parrot USB from boot options, and select “Encrypted Persistence” from the GRUB menu.

Enter the password for your persistent drive and Parrot will load a virgin OS desktop.

For more details on Live, Encrypted-Persistence installations see my past posts: VM software on Parrot OS, and Running Tails in a VM inside Parrot 3.11

1 Like