PureOS running on USB only, how to achieve high security?

Please be patient with me, after a series of troubling events where i was falsely accused in the course of 16 months of more than 12 criminal offenses and had roughly 30k worth of computer equipment seized ,vacuumed and in the process alot of it ruined beyond repair i have tried to get into IT security. All charges against me have been dropped obviously but the damage done to my mental health,the ptsd ,paranoia and the shame of having decade+ worth of computer content shoved in my face to shame and make me admit to things i had not done not to mention the financial loss have spurred me to take preventative actions now that i know this can happen even to an innocent.

I wanted to try out PureOs (am aware and comfortable with tails for the more sensitive not approved by the main political people stuff) ,after tinkering around with some things and entry level security and theory.

My brother grabbed me a high speed 128gb USB.
I am wondering if it would be possible to both install and run the OS From and On the USB (Separate from the laptops own storage) and if there is a beginner to intermediate guide to this? But more importantly, is there a way for me to require the USB to prompt for a decryption key integrated with the PureOS image installed on the USB or am i better off simply encrypting the USB itself/in the future buying a physical pin USB? Will either or both of these work in order to effectively prevent someone from booting my PureOS USB and at most requiring the login name and password?

I am open to all thoughts and suggestions. Even if you suggest something that is not for me or i do not fully get it, i am in the phase of learning right now so all answers are interesting to me regardless what i end up doing or being capable of atm.

Thank you so much for reading and any help, advice or links to informative guides/articles!



I can also be reached by Email at;

1 Like

Sorry to hear about your dramas.

It is certainly possible to run Linux off a USB drive.

Conventional wisdom is that USB flash drives aren’t really cut out for long term, heavy read-write use - although I have done so. You didn’t explicitly say whether “USB” means USB flash drive (thumb drive) or a USB external drive (whether “portable” or “desktop”, whether magnetic or solid state). I am assuming, from the small capacity if nothing else, that you mean USB flash drive (thumb drive). Hence ensure that you do regular backups.

You are better off sticking with standard encryption approaches unless you are a crypto expert. Standard encryption approaches should be adequate to ensure that the entire drive except for the small boot partition is unreadable and unusable unless you know the decryption passphrase.


Correctly assumed yes, it is a high end Corsair USB 3.0 Thumb drive. I will certainly make sure to have spares purchased promptly so that i can begin backing it up immediately after i begin using it.

In theory i know i know a great deal but i am learning through trial and error on an old Lenovo I5 before i power my intended to be secure laptop (xps 15) and immediatly put all security measures in place asap after first eliminating any bloat/freeware etc.

Am familiar with Veracrypt so perhaps that is my best option then,given its history of failed government agency attempts at bypassing. If you agree this sounds like a good option,i will consider your answers to have solved my somewhat inexperienced questions.

I thank you very much for doing so :slight_smile:


I could be wrong, but I believe veracrypt only does full-disk encryption for windows. This isn’t a problem if that’s the OS you want to use, but if you want to use PureOS then you’re better off using LUKS.

The procedure for the latter is (from my experience) the same as installing it on your computer, you just instead tell the installer to do everything to your flash drive.


You may be correct ,i am going to google it for clarification. I have tinkered with LUKS aswell as poured over its intricacies and details and succesfully trialed it on my Lenovo so if it turns out Veracrypt wont work or LUKS is the better option for PureOS (being linux specific) i will go that route.

Thank you for pointing it out to me! :slight_smile:
All the pieces of my personal little secure laptop and online anonymity are slowly,but less slowly and surely coming together. You both have been great,barely even 5 hours since i posed my initial question :astonished:

1 Like

But being aware of what to use or perhaps to avoid is fine too: https://lbry.tv/@RobBraxmanTech:6/is-protonmail-safe-for-security-and:7

1 Like


There are technical reasons why in Linux, or probably any operating system, you want to encrypt as much as you can.

1 Like

One idea / possible way forward may also be to separate the OS completely from your data. What I mean by this is to have a LUKS encrytpted data USB stick that you keep as permanent storage (ideally, have a second drive for backups). Then have one small USB drive and put Tails on it. This one you can use as your operating system that doesn’t remember and is thus not a risk for leaking anything.

If you want your data storage to be cross system compatible you should use veracrypt to full-disk encrypt the data USB drive. If you want to read it only from Linux, which I guess might be your choice if you go down this route, use a LUKS encryption. It’s more integrated into the general Linux workflow than Veracrypt (although tails has native veracrypt support).

Finally, some good tips and best practices for extreme cases, which you clearly have: A very recently published book by Michael Bazzell (see his website here) discusses extreme privacy and, among many other things, has a detailed chapter on digital security and operating tails, etc. It is surely oriented a bit towards the US market, however, this second edition has many more things in it that are of interest for the international market.


Thank you!
I have a lot of older items (Old laptops,cheap USB thumbdrives,SD/Flash cards,older external drives) So i have honestly been looking at every suggestion offered already. Since all my modern equipment was taken from me and mostly bricked and certainly compromised,ive used older things from me and my brothers shared storage unit.

He works at a high level for a US computer manufacturer so through him ,and my old career, i atleast have access to alot of free or greatly reduced high quality or custom items to use so these older lenovo laptops and such i am basically practicing all the great advice given here by yourself and others,and everything i have learned in the last 6 months or so of deep diving and combining theory and reading with practical application.

I think you would agree that for the sake of best possible privacy and security, once i bring my xps 15 online i should be ready to effectively wipe any bloat/freeware/all of it, re-install and add every single aspect of physical security,encryption and privacy. I have two encrypted email accounts i created on a third party trusted persons computer using tails, which i will use for private/business emails and the other for anything during install and configuration that needs an email.

I realize keeping windows 10 as the main OS will be a risk but i figure i need another 6-12 months to achieve high degree of competency in 2 alternative OS systems,2 programming languages (I picked python among some others to practice), and become acceptable at a few more OS’s and languages to the point of being able to follow intermediate level guides and conduct basic solo troubleshooting.

Will be employing MFA for windows, likely landing on LUKS for both PureOS and Tails and potentially replacing the 128gb Corsar 3.0 thumbdrive with a different & more expensive, 10 key physical pin ones with a 5 attempts hard limit or it self bricks.

I really appreciate all the great advice i am given, Come the Librem 15v6 and the Librem phone achieving wider operational status these are both items i hope to purchase later to further increase privacy and apply lessons learned and knowledge aqquired.

Thanks to all the memory exercises from when i studied HUMINT i am atleast able to hold 6-8 different 10-14 Numerical Pin codes in my head in permanent memory and 6, 28 character randomized Alpha-numerical passwords so i wont be caught like that hacker in the US who had top notch security but used the name of his Cat (Chewy) as his passphrase ,all across his systems! :roll_eyes:

Thank you also for the link to Michael Bazzell, i have decided to purchase it. Typically speaking atleast among western nations, few countries make privacy (especially against radical extremists with political agendas,or law enforcement) such a difficult thing to truly achieve,likewise security. There may be laws which apply differently but otherwise just from reading his website it seems to be a perfect fit.

Atleast i have a headstart in that physically i have already technically dissapeared. Learnt enough about how supposed russians might operate and how we might find out about their double lives to know what our government can and cannot do and what anyone can do that will or wont attract scrutiny or raise a flag that there is reason to look closer by any civilian,law enforcement or private company,insurance etc. Also loved the part he mentioned about ghost addresses and mail forwarding. I personally recommend anyone to use one of the older (100+) foreign mail forwarding services. Excellent privacy protection,they scan and photograph your mail upon request and you can ask them to destroy it,store it or open it and photograph the contents and communicate the photos by mail or text message. Allowing bills to be paid and the letters then shredded,spam/junk to be shredded and if you wish it…legal documents required to be recieved physically in order to count as being served…shredded.

In the events i want something physically,i gets sent to a larger P.O box which i visit irregularly and not too near where i have chosen to reside.

Perhaps one day,like michael, i will write a book for people in The nordic region or Baltic states on how to physically dissapear while leaving every appearance of being both visible and a model citizen unless or until someone actually tries to combine Your non actual address,with a forced physical meeting on that premise and you are either unwilling or incapable of having access to it to keep up appearances.
Thousand other things too…

I tend to write too much,so apologize for the TL:DR.
current timeline has me going ghost mode on the secure laptop in 9-15 days depending on how well my practical practice and application goes.

All my thanks to you aswell,and every other poster. All your advice will be tested and i will familiarize myself with each alternative and combination of alternatives on this older device.

I firmly believe that if i slowly and over a length of time apply one security feature,one privacy feature,change one setting ( or worse,settings i dont fully understand ) i am effectively building up one wall at a time after anyone and everyone could have gone in and left a backdoor entry. Constructing a fortress with all bad elements potentially having been allowed inside already.

Hopefully,my approach is sound, physical security and HUMINT is not always so different in concept but i never used to need or have a deeper understanding of IT systems,cryptography,firmware or programming.

The Free Ranging Human

That sounds great. Luckily, most linux OSes in general can run without using too many resources, so older hardware can in fact be pretty great still, even if it’s clunky on windows or osx.

That’s fine, you don’t want to lock down everything at light speed and then notice that you screwed up somewhere and are either locked out or things are not as tight as you want it. It’s good to understand well first on what you want / need, but also on what it entails. While you are still using windows, have a USB drive with tails ready. You can boot into the system and use it, once you close it down it will be like you never used it. No need for encryption of the OS in fact because it is created to have no memory (of course if you want data somewhere, it must be encrypted).

Another approach would be to use a veracrypt container. Those can be set up with plausible deniability, i.e., one password that “opens it” but doesn’t expose anything, it just looks like a drive, while another password actually unlocks your device. I don’t think that is possible with LUKS so you might in fact consider veracrypt for those occasions.

I guess v6 is still a bit out, first waiting for v5, but hey, it’s a plan :wink: With the librem phone I’m not sure I fully agree. One of the main downsides of the phone for me would be adoptability. My family is just not going to communicate with me anymore if I am only on Matrix and text messages are not an option. So I’m a bit bound to what is available. I hope this changes in the future. One more downside: killswitches are great, you don’t have to get a faraday bag, however, I would never use an actual SIM phone number. For myself I have adopted a MySudo as a phone service. Agreed, this is limited to the US and Australia at this point, however, there might be something similar in your region. The actual phone number that is associated with my SIM card, I honestly don’t know. The SIM card is in an alias name and I never use it, so it would take a potential attacker a bit longer (and probably physical access to the device) in order to get the phone number and track me during those times when I actually need the phone, i.e., when it’s not in its faraday bag. MySudo is currently not available on the Librem phone and for all of those reasons I don’t believe it is the most private phone that is around at the moment. I love the idea and completely support it, however, at this point I can’t adopt it for my personal privacy profile.

You’ll enjoy the read. It’s for sure on the tin hat wearing side, but it seems like that’s exactly what you’re looking for. It is also a technical manual, meaning that there are detailed instructions for things in there, so that’s useful, even for your windows computer! I wanted to point out that you might also be interested in his podcast. It’s available for free and it discusses many different topics around privacy. (Note: I’m not actually affiliated with MB or inteltechniques in any way).

It will take time for sure, but you will get used to it and slowly but surely become more private and secure! And always ask if you have questions, as you can see, at least for my part, I enjoy writing long and detailed (hopefully also understandable) answers :slight_smile:

1 Like

Before using plausible deniability, a user should read and understand the caveats about its use.

It would seem that LUKS does not directly support plausible deniability. However you can get a similar effect with LUKS if you want. That said, it is doubtful that you could do that with a root drive i.e. the boot mechanism will probably only support vanilla LUKS scenarios.

Digressing but … text messages are only not an option if you choose not to send text messages. The Librem 5 should be able to send text messages just like any phone - and a text message sent by a Librem 5 is totally insecure just like any phone (unless you apply encryption at a layer above the text message, which is certainly an option between cooperating parties).

1 Like

Completely agree, thanks for putting that in here.

Yes correct. You can always put encryption on top of it, however, even then it would leave the metadata of what phone number texts whom there, which would soon nullify all attempts at having a number not associated with a name. basically, the SIM functionality of a phone in my book is only here to get data, everything else I don’t need.

Again, I love the idea of the Librem phone, I can see great use of it, it just doesn’t fit my profile at the moment. If / when this changes, I’ll definitely get one in a heart beat.

1 Like

Yes. Definitely true and definitely a problem.

I completely understand why you or anyone else would say that but then you do come up against … the friends and family problem. For some of mine it’s vanilla phone or nothing.

Perhaps you would be wanting Anbox support on the L5, or equivalent Android environment. Don’t know when or if that will come however. Alternatively, MySudo could port their application to the L5 (once the L5 is available in volume) - it seems like the same kind of people who are interested in one would be interested in the other, generally speaking.

1 Like

Do they still make that USB stick with a write tab?

You could put an OS on it then flip the tab…

(See how far that goes.)

1 Like


But it doesn’t necessarily achieve anything - because it can be that the switch (write protect) is just one bit of information that the drive firmware is free to ignore.

Worse still, it isn’t necessarily the case that protecting the content of the drive with a write protect switch protects the firmware itself from being updated.


I was thinking along the lines of Live CD type of boot. Since you can’t get laptops with CD/DVD drives anymore (they’re now an external optional peripheral), just boot with a Live-USB.

It should get treated the same way as an old Live CD, no?

The man in the middle can’t leave a cookie after power down. (Which points to the neverending cookie thread.)

Ignoring PureOS for the moment, could be almost any other linux for this purpose.

What hath the sandcrab wrought?

1 Like

Yes, if you trust the write-protect switch and it works.

1 Like

Well yes, I should probably not buy one that comes from the same folks as the makers of the 5G protection stick. (heh heh heh).

1 Like

Avidense is lft in the mot unpected laces. T rust nothang.