How to install Linux on pendrive for UEFI?
Olivia Zamora 
I have successfully installed Linux Mint on USB pen-drive with disc encryption from live CD (not by using universal USB installer). It asks for password during BIOS boot – it works perfectly.
However is it possible to do the same for UEFI boot ? I know that UEFI works with FAT32 and does not with NTFS. I can't confirm any Linux file system to be supported though. Eventually is it possible to install it without encryption?
Unfortunately my attempts at installing Linux Mint from Live CD to pen-drive failed. This is partition setup before installation and during installation.
What is wrong? How should I properly set it? Should boot-loader be placed at dev/sdb1 or dev/sdb (what is the difference) ?
1 Answer
Only the EFI System Partition (ESP) must be FAT32-formatted. That's where UEFI will look for OS loaders. Once the loader is found and selected, UEFI will run it. The loader can implement support for whatever filesystem it needs.
For Linux, GRUB is typically used as a loader. For encrypted setups the easiest approach is to use a separate, non-encrypted /boot partition that uses encrypted / partition to boot.
One could argue that this setup is not secure because /boot is not encrypted, but at the end of the day ESP is not encrypted too and can be hijacked. If that's a weakness with your threat model, you have to:
- Sign the kernel and initramfs
- Build a self-contained GRUB loader that checks kernel signatures
- Sign that GRUB loader
- Add your key to UEFI key store
- Remove other keys from UEFI key store
For a portable setup, this is not feasible, so unencrypted /boot isn't any more insecure than encrypted one. Your files still reside on the encrypted /.
