Moving /boot to separate USB media


I could not find documentation anywhere online showing how to properly move /boot to external media and install grub correctly for it to work as well as making sure that it in in fact booting from the external media and not defaulting to the version on the hard drive. I may just be using the wrong search terms but nothing related comes up.

I hope to accomplish this on debian.

If I used a CD-R it would protect against evil maid attacks, remotely installed or installed with physical access.



An Evil maid attack requires physical access and given a sophisticated enough attacker, it cannot be defended against. If you feel your device is a target, carry it with you at all times.

Yes, if you fear physical attacks, miniature hardware keyloggers and/or miniature cameras other kinds of hardware bugs are at risk. Protecting /boot by storing it on an external device would only protect a small subset of less attractive attack vectors. (Nevertheless it is doable, but undocumented.)

talk about timing. installing boot to a usb media is covered in this guide for a fresh debian install.

however, to do a move, you need to get the uuid of your usb boot device which has grub installed on it, and then update grub.cfg and /etc/fstab accordingly i believe.


the guide was recently updated with a chapter on converting the main whonix virtual disks to type “immutable” as a means of mitigating against malware.

I just want to use a read-only medium so that my unencrypted /boot partition couldn’t be written over by something evil.

Also in theory evil maid attacks are not always physical. I hope I’m correct in saying that a powerful enough adversary could hack into your computer and rewrite your /boot partition.

Also in theory evil maid attacks are not always physical.
It is a physical attack by definition. By all definitions and use of the term I saw until now. I don't think introduction the confusing term of a virtual evil maid makes sense.

This is correct, but an adversary in that position, having ability from remote over a network rewriting your /boot partition can also rewrite your non-boot partition and then you’re already hosed anyway (infected by a trojan horse) without knowing about it. I don’t see how a clean boot partition would help in such a situation.